Signing a Excel/VSTO project without pfx file

0
votes

I have a VSTO project which combines C# and Excel. My employer requires me to sign this using a certificate for which I do not have a pfx file, I only have the certificate on a chip card.

I have read most manuals and questions asked here on signing VSTO, but all somehow assume I have the pfx file. My setup in Visual Studio is the following:

  1. „Sign the ClickOnceManifest“ is checked, using „Select from Store„ the certificate from a chipCard is selected
  2. „Sign the Assemly“ is checked. I do not have the pfx file, so I hit „New“ and created a certificate called assemblySigningCertificate.pfx (this might be a completely bogus step, but that's the only pfx I get)

  3. after publishing the project, I run a script that updates the signatures using mage.exe such as 

    set AppPublishPath=publish
set AppPublishVersionPath=publish\Application Files\diagramUnifier_1_0_0_0

copy bin\Debug\*.dll "%AppPublishVersionPath%"
copy bin\Debug\*.dll.config "%AppPublishVersionPath%"
copy bin\Debug\*.exe "%AppPublishVersionPath%"

mage.exe -update "%AppPublishVersionPath%\diagramUnifier.dll.manifest"  -ch "… certificate hash from certmgs.msc "
mage.exe -update "%AppPublishVersionPath%\diagramUnifier.vsto"  -appmanifest "%AppPublishVersionPath%\diagramUnifier.dll.manifest" -ch "… certificate hash from certmgs.msc "
mage.exe -update "%AppPublishPath%\diagramUnifier.vsto"  -appmanifest "%AppPublishVersionPath%\diagramUnifier.dll.manifest"  -ch "… certificate hash from certmgs.msc "

Once all this is done, I install the VSTO and run the xlsm file. I receive a "SignatureDescription could not be created from the signature algorithm supplied" error pointing to the VSTO file. Details of the error provide only a stackTrace, nothing else.

My questions are:

  1. is it even possible to sign a VSTO project without a certificate for which I have a pfx file?
  2. if I don’t have the pfx file, is it the right thing to create a new certificate in the “Sign the assembly” section of settings
  3. am I doing something else entirely wrong?

Any help is much appreciated, Daniel

2
c#excelvsto

2 Answers

2
votes

Problem: When a certificate is created by using selfcert.exe, it's private key cannot be exported. The export wizard of the Windows certificate console says "the associated private key is marked as not exportable".

Solution version 1: Use makecert.exe with the "-pe" option to create and store the certificate with an exportable private key:

makecert -r -pe -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -ss My

Then you can export the certificate from the Windows certificate store, including the private key.

Note: Old versions of makecert.exe do not support the "-pe" option. The .NET Framework SDK 2.0 and the October 2002 version of the Platform SDK (build 3718.1) contain a new version of makecert.exe (5.131) that supports the "-pe" option. (The .NET Framework SDKs 1.0 and 1.1 both contain old versions of makecert.exe that do not support the "-pe" option).

Solution version 2: The following commands can be used to create a PFX file (PKCS #12) that contains the a self-signed certificate together with the associated private key:

makecert -r -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -sv selfcert.pvk selfcert.cer
cert2spc selfcert.cer selfcert.spc
pvkimprt -pfx selfcert.spc selfcert.pvk

The last command (pvkimprt -pfx) creates the file selfcert.pfx. This PFX file can then be imported into the Windows certificate store and used for code signing. (makecert.exe and cert2spc.exe are part of several Microsoft SDKs, e.g. the Platform SDK or the DotNet SDKs, which can be downloaded from microsoft.com. pvkimprt.exe can be downloaded individually from Microsoft.)

0
votes

Are you saying that you do not have the private key for the certificate? If that's the case then you definitely cannot sign the assembly/installer. The whole point of signing is to certify that the assembly comes from a trusted/certified source (ie. the certificate (private key) holder).

Who is your employer? Larger companies have processes in place to get installers and assemblies signed via their IT/Security department. I'd double check that is not the case where you work.

On another point... Do you have .NET4.5 installed? See here it might help...

This change is due to the fact that we stopped using legacy certificates as default (SHA-1) in NetFX4.5 to sign manifest and instead, use newer version (SHA-256), which is not recognized by NetFx4.0 runtime. Therefore, while parsing the manifest, 4.0 runtime complains of an invalid manifest. For legacy frameworks, when we try to run a ClickOnce app on a box that does not have targeted runtime, ClickOnce pops up a message to user saying “you need xxxx.xx runtime to run this app”. But starting .NET 4.5, if a 4.5 ClickOnce app is run on the box with only .NET 4.0 installed, the message complains about an invalid manifest. In order to resolve the issue, you must install .Net Framework 4.5 on the target system.