It’ll output something along the lines of: Code Signing Key Located Save the file and run it.\ Get-CodeSigningKe圜ontainer.ps1 I’ve written a script (signed, of course) that will print the key container for your code signing key, provided it’s stored within your user’s Personal key store (which, AFAIK, it needs to be there, so if you don’t have it stored there you’ll need to figure that bit out).ĭownload the gist for the script here. We need to find the Key Container name for your code signing key. This switches the default provider to your Smart Card. Replace Microsoft Base Smart Card Crypto Provider if the Crypto Provider, above, was different. Run the following command: $ sn.exe -c "Microsoft Base Smart Card Crypto Provider" Open up a (non-administrator) Developer Command Prompt and cd to the folder that has the library you want to sign. Launch an Administrator PowerShell prompt – keep it open because we’ll use it later – but for now, run the following: CD HKLM: \SOFTWARE \Microsoft \Cryptography \SmartCards
By default, Windows 8+ uses the Microsoft Base Smart Card Crypto Provider for smart cards, but if you’ve installed other smart card providers (OpenSC), this may be different, so we’ll verify that. By default, the sn tool uses the Microsoft Base Cryptography Provider, which won’t find the key on your Smart Card. The first thing you need to do is point sn.exe at the right crypto provider.
Step 1 - Get the Smart Card Crypto Provider
It’s, apparently, done so infrequently, that the documentation gives very few hints as to how to actually accomplish it. Unfortunately, it’s not exactly straight-forward to use this tool with a certificate installed to a Smart Card. To strong-name sign, you use the sn.exe tool. Like any good security process, the best way to prevent a leak is to make it impossible to leak.
In theory, at least, that private key has never seen the Internet, and will never exist in storage or memory of any machine I sign software on.Īll of that trouble also means that if I use that same key for strong name signing, I can never accidentally publish the private key in a repo.
I generated the CSR on a Linux live CD and ensured I made a backup only to an encrypted storage medium protected by a different password than the PIN on my Yubikey. Smart Cards work by storing the private key in non-exportable storage and performing all cryptographic operations on-device. The Yubikey is basically a USB Smart Card device. My key would serve as a positive identity of me when anyone used an executable signed with it. When I acquired my code signing key, I understood the value of what I was getting. Whoops! I know and follow best practices with certificates that I use, but for whatever reason, I treated this “generated on-the-fly” keypair with reckless abandon. The problem is that I can be a little absent-minded and on at least one occasion, I published a strong name key to a public git repo. It’s also helpful to others who might use those libraries. The main reason is that I use some of these libraries in projects that require strong names, so it’s an added convenience not to have to ildasm/ ilasm sign them on a one-off basis. First, I like to strong name my libraries if they’re going to be put out on a NuGet server (either the public one or the one I use internally at work or at home). So for all practical purposes, there’s really no great reason to use your code signing certificate to generate the strong name. Net Framework validates a library’s strong name, it doesn’t care what the origin of the signature is, or its trust chain. NET adds a signature to a library or executable that ensures that when a program references that library or executable, that it’s getting the right one. Code Signing keys are most similar to EV certificates (and, in fact, require the same kind of validation involving a notary, lawyer or CPA and a bunch of documentation proving your name, address, phone and other things).Ī Strong Name in. Code Signing (referred to by the trademarked “Authenticode” in the Microsoft world) verifies a library or executable originated from a person or organization.Ī Code Signing key validates identity. You'll still want to read this part since there's a lot here that isn't covered in the follow-up, but skip the Visual Studio related steps.įirst things first, strong naming and Code Signing and Strong Naming serve two different purposes.
In addition, a much easier way was discovered and that's been written about in Part 2.
Note: This post was updated on with some corrections. Net Assembly With a Yubikey/Smart Card and Code Signing Key Friday, SeptemCode Signing != Strong Name Signing