How to sign an ActiveX DLL with a Certificate

2
votes

I have created a DLL that I am exposing via COM that I need to sign with a certificate.

I have created a Visual Studio 2008 project and it has a class library which contains the code for my ActiveX object. I then created an ASP.net page that is using it:

<script type="text/javascript">
    var x = new ActiveXObject("Foo.Bar");

    x.SomeMethod();
</script>

I ran the site and was getting a bunch of errors with security. I ran regasm /tlb /codebase foo.dll and installed it this way. I also changed a bunch of my security settings in IE to allow me to run unsigned ActiveX controls and everything worked fine.

Now I need to package this up in a CAB file and sign it with a Certificate so that I don't have to touch security settings (and so users don't have to do this as well).

Can someone let me know how to do this? I'm not even sure where to begin. I created a self signed certificate with the makecert.exe tool but I"m not sure how to tie the certificate to the DLL or how to package it all up in a CAB and use that in the website.

1
c#activexcertificate
Beyond the correct statements below about code-signing, you should be aware that writing ActiveX controls in .NET isn't a best-practice due to performance and side-by-side problems. At a minimum, you should try to compile to the .NETv4 framework, as this version can properly load side-by-side in a single process.EricLaw

1 Answers

4
votes

Microsoft has a decent whitepaper/tutorial on how to go about doing this:

MSDN Article

Here is the long and short of it: To sign your code

  1. Apply for a certificate from a certificate authority. See http://msdn.microsoft.com/workshop/security/authcode/certs.asp for instructions on obtaining a certificate.

  2. Get the latest tools for signing files and checking signatures. See http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/crypto/cryptotools_4739.htm.

  3. Prepare your files to be signed. If you are signing any .exe, .ocx, .vbd or .dll file, you do not need to do anything special. If you are signing a .cab file, you must add the following entry to your .ddf file and remake your .cab file:

    .Set ReservePerCabinetSize=6144

  4. Sign your files using signcode.exe. The following is an example of how you might sign a file:

    Signcode -prog myfilename -name displayname -info http://www.mycompany-inc-10.com - spc mycredentials.spc -pvk myprivatekey.pvk

  5. Test your signature:

    • To test a signed .exe, .dll, .vbd or .ocx file, run chktrust filename where filename is the name of the file you signed.
    • To test a signed .cab file, run chktrust -c cabfilename.cab where cabfilename is the name of the .cab file you signed.