Setting up .NET clients

.NET Environments within CodeSign Protect allow you to store private keys in Trust Protection Platform rather than having them reside in a filesystem on a code signing workstation or build server.

How it works

When signing with a key that is protected by CodeSign Protect, the signing application references the CodeSign Protect CSP, which in turn performs the signing using a key stored either in the Trust Protection Platform secret store or in a connected HSM. CodeSign Protect removes the risk of having the private keys reside in a filesystem on the signing workstation.

Additional key protection using Flows

As with any Environment in CodeSign Protect, approval flows can be associated with the Environment to require one or more approvals before a key can be used to sign. Such protections eliminate the need for procedures such as delay signing, and even open up the ability to troubleshoot issues on a production build server without putting the key or its use at risk.

Using CodeSign Protect not only secures the key, but reduces complexity when using the key.

NOTE   The documentation in this section assumes familiarity with strong-naming concepts. To learn more, see strong-named assemblies at https://docs.microsoft.com/en-us/dotnet/standard/assembly/strong-named.

Steps to set up .NET

  1. A Code Signing Administrator sets up a .NET Environment Template. See Create Environment Templates.
  2. A Project Owner creates a Project with a .NET Environment or adds a .NET Environment to an existing Project. See Creating CodeSign Protect Projects.
  3. The CodeSign Protect CSP is installed on the code signing workstation. This installation can be done by the Key User or by an IT administrator. See Install CodeSign Protect Clients on signing workstations.
  4. The Key User integrates the signing applications with the CodeSign Protect CSP.

Integrating with .NET

The following examples show how to integrate CodeSign Protect with .NET signing applications. One example shows a standard integration, and the other shows a delay signing integration.

NOTE  The examples below use Sn..exe, which is bit-specific. When following the example integrations, make sure to use the proper version for your system.

Examples:

  • 32bit sn.exe: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe
  • 64bit sn.exe: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\sn.exe

Integrate signing applications with CodeSign Protect CSP

NOTE  See the next section for delay signing.

To use a key, you'll need either that key's Container or Alias. Both of these can be obtained using CSPConfig.exe listobjects command:

CSPConfig.exe listobjects --env=net


Strongname-signing-SN-Prod [.NET]

Public Key:  RSA (2048 bits)

Container:   {585095c7-185b-4300-bb66-e69814136995}-signing

Alias:       Strongname-signing-SN-Prod

Key Use:     Signing

In your project's build files, add the reference to the CodeSign Protect CSP using either the Container or Alias value:

<KeyContainerName>{585095c7-185b-4300-bb66-e69814136995}-signing</KeyContainerName>

or

<KeyContainerName>Strongname-signing-SN-Prod</KeyContainerName>

Then, remove the reference to the .snk file:

<SignAssembly>true</SignAssembly>

<AssemblyOriginatorKeyFile>mykey.snk</AssemblyOriginatorKeyFile>

Update Sn.exe to point to the Venafi CSP and set the key container to be user-specific

sn -c "Venafi Key Storage Provider" 24

sn -m n

These commands set the CSP and Provider type in the following Windows Registry locations:

  • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\StrongName
  • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName

To reset sn.exe back to its defaults, run the following:

sn -c

sn -m y

Delay signing integration

Obtain the public key from the signing system

  1. Use CSPConfig.exe listobjects to view the Alias of your signing key.

    CSPConfig.exe listobjects --env=net


    Strongname-signing-SN-Prod [.NET]

    Public Key:  RSA (2048 bits)

    Container:   {585095c7-185b-4300-bb66-e69814136995}-signing

    Alias:       Strongname-signing-SN-Prod

    Key Use:     Signing

  2. Update Sn.exe to point to the Venafi CSP and set the key container to be user-specific.

    Sn.exe -c "Venafi Key Storage Provider" 24

    Sn.exe -m n

    These commands set the CSP and Provider type in the following Windows Registry locations:

    • 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\StrongName
    • 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName

  3. Export the public key.

    Sn.exe -pc Alias publickey.snk

  4. (Optional) Restore Sn.exe defaults

    Sn.exe -c

    Sn.exe -m y

    If you're going to be using the Venafi CodeSign Protect client exclusively on this system, you may not want to restore the defaults.

  5. Store the exported publickey.snk file in a place where development workstations can access it, such as in a code repository.

Delay sign on development workstations

  1. Configure your .NET projects to use the publickey.snk file, with Delay sign only enabled.
  2. Build your .NET projects.

  3. (Optional) Verify delay/test signing.

    Sn.exe -vf path_to_your_assembly

Re-sign on signing system

  1. Use CSPConfig.exe listobjects to view the Alias of your signing key. This should the same as the Alias used when exporting the public key.

    CSPConfig.exe listobjects --env=net


    Strongname-signing-SN-Prod [.NET]

    Public Key:  RSA (2048 bits)

    Container:   {585095c7-185b-4300-bb66-e69814136995}-signing

    Alias:       Strongname-signing-SN-Prod

    Key Use:     Signing

  2. Update Sn.exe to point to the Venafi CSP and set the key container to be user-specific.

    Sn.exe -c "Venafi Key Storage Provider" 24

    Sn.exe -m n

  3. Sign the assembly.

    Sn.exe -Rc path_to_your_assembly alias

  4. (Optional) Verify signing.

    Sn.exe -vf path_to_your_assembly