Skip to main content

Sign strong name assemblies with SignTool using CSP library

This document provides an overview for signing strong name assemblies using the SignTool with the DigiCert Software Trust Manager CSP library.

A strong name consists of:

  • The assembly's simple text name

  • Version number

  • Culture information (if provided)

  • A public key

  • A digital signature

A strong name is created from an assembly file using a corresponding private key. The assembly file includes the assembly manifest, which lists the names and hashes of all the files that are part of the assembly.

Microsoft's strong name signing tools are based on the Legacy CSP (Crypto Service Provider). As a result, you must have the DigiCert​​®​​ Software Trust Manager CSP installed on your system before you using a signing tool to create a strong name assembly.

Prerequisites

Limitations

This strong name CSP has the following limitations:

  • Only supports RSA keys.

  • Only supports SHA-1 digest algorithm.

  • Only requires key for strong name signing (certificate is not required).

Register the CSP

Tipp

If you have downloaded and installed the Windows Clients Installer, the CSP is already downloaded and registered as part of the installation.

If you have downloaded the CSP as an individual file, register the CSP by following the steps below:

  1. Copy the downloaded CSP to the C:\windows\System32 directory named ssmcsp.dll: c:\windows\System32\ssmcsp.dll

  2. To register the CSP, open a command prompt in Administrator mode and run:

    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP"
    
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" /v "SigInFile" /t REG_DWORD /d 0
    
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" /v "Type" /t REG_DWORD /d 1
    
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" /v "Image Path" /t REG_SZ /d "ssmcsp.dll
  3. To check if your CSP is successfully registered and ready to use, run:

    C:\windows\system32\certutil.exe -csplist

    Anmerkung

    You should see an entry named DigiCert Software Trust Manager CSP in the output.

Signing tools

Configuration

To create strong name assemblies using any of the signing tools mentioned below with keypairs protected with DigiCert​​®​​ Software Trust Manager, users must first set up the DigiCert CSP (DigiCert​​®​​ Software Trust Manager CSP) in the sn.exe tool:

  1. Open command line in Administrator mode.

  2. Run sn.exe -c "DigiCert Secure Software Manager CSP".

Signing

There are various ways and tools for generating a strong name over an assembly. The table below explains the tools tested so far and the type of artifacts required.

Tabelle 1. Tools

Tool

Artifact type

Possible path of tool

Comments

sn.exe

Test signed assemblies (.dll files)

C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\sn.exe

Version number of Windows SDK and .NET framework tools may vary on your machine

csc.exe

C# source code (.cs files)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Installed location and version of .NET framework may vary on your machine

Ilasm.exe

Intermediate code (.il files)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

Installed location and version of .NET framework may vary on your machine


Sample signing commands

  • sn.exe

  • csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /target:library /keycontainer:hello_world /out:helloworld.dll *.cs.

  • ilasm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /dll /key=@hello_world /quite helloworld.il

Strong name verification

If you are using the same machine for verification as signing and using sn.exe -v “assembly path” to verify, make sure that you have reset the CSP to default.

  1. Open Command Prompt with Administrator privileges.

  2. Run sn.exe -c

  3. Run for verification (without Administrator privileges) sn -v

Anmerkung

Set the CSP to default after signing to avoid any failures due to strong name verification while trying to install any software with strong name assemblies.

Troubleshooting

  • Make sure all the required and mandatory SM_* environment variables are set to connect to respective DigiCert ONE environment.

  • Make sure the CSP dll file exists at "C:\windows\System32\ssmcsp.dll" and "C:\windows\SysWOW64\ssmcsp.dll".

  • Check for .signingmanager\logs\ssmcsp.log file for any errors or warnings if logged.

  • Make sure “DigiCert DigiCert​​®​​ Software Trust Manager CSP” is set using sn.exe command line. Refer to Signing Tools > Configuration section above for more details.

Reference

Create and use strong-named assemblies