Deploying a (externally) signed dll

Question

1.00/5 (1 vote)

See more:

VS2012

VS2015

Hi all,

The Security department has signed the dll, that comes as a part of the VSTO Excell Addin we created. We do not have acces to the (private) key.

How do i create an installation package using our signed dll without the use of the key/certificate?

Note; our addin package also comes with the Microsoft.Office.Tools.Common.v4.0.Utilities.dll

Any ideas?

Thanks!

Posted 20-Dec-13 3:55am

Jozzle

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2013-12-20T04:01:00

Solution 1

Your question doesn't make any sense. Why do you need that certificate to deploy a .DLL?? Where I work, we deploy stuff that's signed all the time, without doing anything special at all with a certificate. You just build the installer to put the files where you want them. That's it!

Unless you're talking about signing the .MSI with the same certificate??

Posted 20-Dec-13 4:01am

Dave Kreskowiak

Comments

Jozzle 20-Dec-13 10:19am

Our security department signs .dll's only which makes the computed hash different from what the application manifest (and VSTO) expects.

I cannot simply put the .dll back into te deployment, nor do i have acces to the certificate to recomplie the deployment.

We dont have an MSI, only the .VSTO (created by a release build) or the Setup.exe,(created bij a publish action), but i think the situation is comparable to that of an MSI?

Dave Kreskowiak 20-Dec-13 10:22am

I never used the Visual Studio package. I always just created an .MSI installation by hand to install my signed files. No keys required...

Sergey Alexandrovich Kryukov 20-Dec-13 11:18am

My 5. I also answered explaining logically what's wrong and what could be done. However, the case it way to pathological, so I'm very skeptical... :-)
—SA

Sergey Alexandrovich Kryukov · Answer 2 · 2013-12-20T05:16:00

There is such a joke: a completely drunk man sits in the cab and the driver asks him where to get him:
—"Where to?"
—"None of you business, you swine!"

Maybe your security department is like that drunk passenger. No, it cannot make any sense. You cannot produce signed DLL without having the full key pair. The private key is never provided to the use, cannot be restored based on the public key and data, and it is needed for something; isn't it logical? And you really need to understand how public-key cryptography works:
http://en.wikipedia.org/wiki/Public-key_cryptography[^],
http://en.wikipedia.org/wiki/Digital_signature[^].

Actually, it can be a manifestation of the well-known organizational anti-pattern named "moral hazard":
http://en.wikipedia.org/wiki/Anti-pattern[^],
http://en.wikipedia.org/wiki/Moral_hazard[^].

For the really paranoid organizations, like yours (however, I doubt that working in your organization is possible at all), there is a mechanism of delayed key signing: http://msdn.microsoft.com/en-us/library/t07a3dye%28v=vs.110%29.aspx[^].

What to do? Maybe you need to contact some level of your administration and delicately hint that some idiots present in the structure totally sabotage the whole part of the business. But first, you need to learn and understand things yourself. But again, this case is so pathological that it rather belongs to one of those sites collecting comical computer absurdities. Not sure that working in your company is possible for a mentally healthy person.

—SA