Jaa


SN v2.0 Works With PFX Files

One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files.  The logic here is that a self signed certificate stored in a PFX file is the moral equivalent of an SNK key, except that it gives you the added benefit of storing your key in encrypted form rather than in the SNK's plain text format.

This feature should be entirely transparent -- anywhere that SN takes a key file as input, you can now specify a PFX file instead. SN will detect this and prompt you for a password:

C:\Build>sn -R DelaySigned.exe KeyPair.pfx

Microsoft (R) .NET Framework Strong Name Utility Version 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.

Enter the password for the PKCS#12 key file:
Assembly 'DelaySigned.exe' successfully re-signed

Your password will not echo to the screen as you type it.

There are a few limitations to this feature however.  Since it was designed with self signed certificates in mind, SN will not accept a PFX file which contains multiple certificates (there's no way to tell it which certificate you wish to use).

Also, SN will not allow you to redirect standard input and load the password from a pipe.  (In this case it gives a rather cryptic error message "Failed to parse the PKCS#12 blob in KeyPair.pfx -- The handle is invalid."  ... we'll replace that message with something a bit more descriptive in a future release).

Finally, the PFX file must have a password, even if that password is blank.  SN will never attempt to read a certificate with a NULL password.

If you want to create a self signed PFX key, the easiest way is to use Visual Studio 2005.  In the project properties Signing tab, tell Visual Studio to create a new strong name key file.  VS will show you this dialog:

Selecting "Protect my key file with a password", the default option, creates a PFX file.  If you uncheck that option, you'll create a traditional SNK file.  VS will enforce that your password be at least six characters long.  It also provides the ability for you to change the password of an existing key pair.

Comments

  • Anonymous
    February 14, 2006
    .NET Framework 2.0 sn tool has the ability to work with PKCS #12 PFX files in addition to SNK files. ...

  • Anonymous
    February 14, 2006
    PingBack from http://vagus.wordpress.com/2006/02/15/sn-v2-supports-pfx/

  • Anonymous
    February 14, 2006
    Shawn,

    Great post!  While I have yet to use this feature of VS2k5/SN yet, I look forward to in the future.

    I really appreciate your clarification regarding self-signed certs.  This was/is something that I've struggled with when it came to strong-naming/signing assemblies: where do the keys come from??  Any Joe can use SN to generate key pairs and the Fx 1.1 docs did not go into much detail as to where the keys came from - just generate them using the took and sign away.

    I take it that the real intent here is for companies to sign their binaries using their cert they purchase from Thawte http://www.thawte.com/ssl-digital-certificates/code-signing/index.html, or whomever), or if you're so fortunate enough to have a robust PKI implementation - use your own.

    Is this correct?

    Thanks again!  Your blog is awesome.

    Harris

  • Anonymous
    February 19, 2006
    What about getting the key from the store? There is no UI support plus using AssemblyKeyName attribute yields a warning.

  • Anonymous
    February 22, 2006
    The comment has been removed

  • Anonymous
    February 22, 2006
    Hi Harris,

    The keys generated with the sn -k command are actually randomly generated.  We ask the default CSP to give us a new key, and it goes ahead and creates one for us :-)

    -Shawn

  • Anonymous
    January 20, 2007
    It kills me that the names for these processes are "Code signing" and "Strong Name signing". So this

  • Anonymous
    September 12, 2009
    Hi, how about the C# compiler?  Does the /keyfile option of csc accept a pfx file?  I tried the 3.5 version and it keeps saying 'CS1548: Cryptographic failure ... Bad version of provider.'

  • Anonymous
    September 21, 2009
    >C:Build>sn -R DelaySigned.exe KeyPair.pfx That will not work unless sn.exe is inside C:Build.

  • Anonymous
    November 05, 2009
    No, the C# compiler does not work with PFX files.  In order to use a PFX file with C#, you need to do a few steps:

  1. Use SN to extract the public key from the PFX file: sn -p Key.pfx PublicKey.snk
  2. Use C# to delay sign your assembly csc /delaysign /keyfile:PublicKey.snk YourAssembly.cs
  3. Use SN to complete the signing process sn -R YourAssembly.exe Key.pfx -Shawn