Sign strong name assemblies with SignTool using CSP library
This document provides an overview for signing strong name assemblies using the SignTool with the DigiCert Software Trust Manager CSP library.
A strong name consists of:
The assembly's simple text name
Version number
Culture information (if provided)
A public key
A digital signature
A strong name is created from an assembly file using a corresponding private key. The assembly file includes the assembly manifest, which lists the names and hashes of all the files that are part of the assembly.
Microsoft's strong name signing tools are based on the Legacy CSP (Crypto Service Provider). As a result, you must have the DigiCert® Software Trust Manager CSP installed on your system before you using a signing tool to create a strong name assembly.
Prerequisites
.NET Framework tools
.NET FX tools must be installed on the system to make use of sn.exe tool for signing and for configuring DigiCert® Software Trust Manager CSP on the system.
Limitations
This strong name CSP has the following limitations:
Only supports RSA keys.
Only supports SHA-1 digest algorithm.
Only requires key for strong name signing (certificate is not required).
Register the CSP
Dica
If you have downloaded and installed the Windows Clients Installer, the CSP is already downloaded and registered as part of the installation.
If you have downloaded the CSP as an individual file, register the CSP by following the steps below:
Copy the downloaded CSP to the C:\windows\System32 directory named ssmcsp.dll:
c:\windows\System32\ssmcsp.dll
To register the CSP, open a command prompt in Administrator mode and run:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" /v "SigInFile" /t REG_DWORD /d 0 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" /v "Type" /t REG_DWORD /d 1 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\DigiCert Software Trust Manager CSP" /v "Image Path" /t REG_SZ /d "ssmcsp.dll
To check if your CSP is successfully registered and ready to use, run:
C:\windows\system32\certutil.exe -csplist
Nota
You should see an entry named DigiCert Software Trust Manager CSP in the output.
Signing tools
Configuration
To create strong name assemblies using any of the signing tools mentioned below with keypairs protected with DigiCert® Software Trust Manager, users must first set up the DigiCert CSP (DigiCert® Software Trust Manager CSP) in the sn.exe tool:
Open command line in Administrator mode.
Run
sn.exe -c "DigiCert Secure Software Manager CSP"
.
Signing
There are various ways and tools for generating a strong name over an assembly. The table below explains the tools tested so far and the type of artifacts required.
Tool | Artifact type | Possible path of tool | Comments |
---|---|---|---|
sn.exe | Test signed assemblies (.dll files) | C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\sn.exe | Version number of Windows SDK and .NET framework tools may vary on your machine |
csc.exe | C# source code (.cs files) | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Installed location and version of .NET framework may vary on your machine |
Ilasm.exe | Intermediate code (.il files) | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe | Installed location and version of .NET framework may vary on your machine |
Sample signing commands
sn.exe
csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /target:library /keycontainer:hello_world /out:helloworld.dll *.cs.
ilasm.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /dll /key=@hello_world /quite helloworld.il
Strong name verification
If you are using the same machine for verification as signing and using sn.exe -v “assembly path” to verify, make sure that you have reset the CSP to default.
Open Command Prompt with Administrator privileges.
Run
sn.exe -c
Run for verification (without Administrator privileges)
sn -v
Nota
Set the CSP to default after signing to avoid any failures due to strong name verification while trying to install any software with strong name assemblies.
Troubleshooting
Make sure all the required and mandatory SM_* environment variables are set to connect to respective DigiCert ONE environment.
Make sure the CSP dll file exists at "C:\windows\System32\ssmcsp.dll" and "C:\windows\SysWOW64\ssmcsp.dll".
Check for .signingmanager\logs\ssmcsp.log file for any errors or warnings if logged.
Make sure “DigiCert DigiCert® Software Trust Manager CSP” is set using sn.exe command line. Refer to Signing Tools > Configuration section above for more details.