HOW TO: Alter the "SetSecurity" project to grant full trust to the add-in installation folder instead of the add-in assembly

Its better late than never, I have been wanting to write this post for a long time now and looks like the time has finally come! This is about adapting the "SetSecurity" project to grant Full Trust to the add-in installation folder instead of just the add-in assembly.

What is "SetSecurity"? This is a sample project that comes with the Deploying Office Solutions Using Windows Installer Version 3 Sample. This project is used to Grant trust to the customization assembly using a custom action. Want to know more? Read the following articles about Deploying Visual Studio 2005 Tools for Office Second Edition Solutions and Granting Permissions.

Deploying Visual Studio 2005 Tools for Office Second Edition Solutions Using Windows Installer (Part 1 of 2)
https://msdn.microsoft.com/en-us/library/bb332051.aspx

Deploying Visual Studio 2005 Tools for Office Second Edition Solutions Using Windows Installer: Walkthroughs (Part 2 of 2)
https://msdn.microsoft.com/en-us/library/bb332052.aspx

How to: Grant Permissions to Folders and Assemblies
https://msdn.microsoft.com/en-us/library/zdc263t0(VS.80).aspx

Why do I need to grant full trust to an add-in installation folder instead of the assembly? If you add-in is simple and contains only one assembly then this is not required. You will need to do this in case you have other assemblies that are referenced in you project and they are deployed in the Installation folder along with your add-in assembly.

If only the add-in assembly is trusted you add-in with throw a security exception when it tries to load the other assemblies because they are not trusted. if we trust the installation folder all the assemblies in that folder are trusted and the add-in works fine.

There is very small change we that we need to make and it need to made to the AddSecurityPolicy method in the "CaspolSecurityPoliceCreator.cs" file.

Below are the changes:

1)Replace the following line:

 string arguments = policyLevel + " -q -ag " + parentCodeGroup + " -url \"" + solutionInstallationUrl + "\" Nothing -n \"" + solutionCodeGroupName + "\" -d \"" + solutionCodeGroupDescription + "\"";

With

 string arguments = policyLevel + " -q -ag " + parentCodeGroup + " -url \"" + solutionInstallationUrl + "\" FullTrust -n \"" + solutionCodeGroupName + "\" -d \"" + solutionCodeGroupDescription + "\"";

2) Comment out or delete the following try..catch block:

 

 // Add the assembly code group. Grant FullTrust permissions to the main assembly.
try
{
    // Use the assembly strong name as the membership condition.
    // Ensure that the assembly is strong-named to give it full trust.
    AssemblyName assemblyName = Assembly.LoadFile(assemblyPath).GetName();
    arguments = policyLevel + " -q -ag \"" + solutionCodeGroupName + "\" -strong -file \"" + assemblyPath + "\" \"" 
           + assemblyName.Name + "\" \"" + assemblyName.Version.ToString(4) + "\" FullTrust -n \"" 
           + assemblyCodeGroupName + "\" -d \"" + assemblyCodeGroupDescription + "\"";

    RunCaspolCommand(frameworkFolder, arguments);
}
catch (Exception ex)
{
    try
    {
        // Clean the solutionCodeGroupName.
        RemoveSecurityPolicy(machinePolicyLevel, solutionCodeGroupName);
    }
    catch { }

    string error = String.Format("Cannot create the security code group '{0}'.", assemblyCodeGroupName);
    throw new Exception(error, ex);
}

These are the only two changes we need to make. The first change grants the solutioninstallationUrl "FullTrust" instead of "Nothing" and the second change deletes the code that grants trust to the add-in assembly.

The rest is covered in the Deploying Visual Studio 2005 Tools for Office Second Edition Solutions Using Windows Installer: Walkthroughs (Part 2 of 2) article mentioned above.

Comments

  • Anonymous
    November 12, 2008
    Good Article.I tried lot to solve error in my Project. but finally i found this and it worked.Thanks!!!!
  • Anonymous
    February 03, 2009
    Thankyou for the post, has saved me a lot of hair pulling :)Note:  Remember to uninstall previous versions so that the secruity policy is re-created with the new folder (Rather than assembly) permissions.
  • Anonymous
    September 16, 2009
    Thank you for the Post...Thank You very muchI have a small problem with the uninstalleverything from the install to the usage of the addin is working finewhen i uninstall ...the folder and the addin is getting deleted but the code access security entry in the .net framework configuration is not getting deletedand every time i install it a new entry is getting createdwhat to do???
  • Anonymous
    September 16, 2009
    Do you have the custom action set for the uninstall?you need to pass in the solutionCodeGroupName for the installer to be able to remove it.
  • Anonymous
    September 17, 2009
    The comment has been removed