Friday, 31 March 2017

visual studio 2010 - Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'

After trying all these solutions (and a lot more), I found that the problem lies somewhere else. For people that go through the same misery as me after buying a certificate, I'll share the solution for my problem.


Behavior


I understand that 'sign' applies a strong name and not an authenticode to a DLL or EXE. This is why signtool will work in this case, but 'sign' in Visual studio will not work.


Reason


In the past I've had experience with certificates from Verisign. They have a KeySpec=2 in the certificate - which is used with the 'sign' functionality in Visual Studio. These certificates work fine for both Visual Studio and signtool.


I now bought certificates from Comodo, which have an incorrect KeySpec=1 in the code signing certificates. That means these certificates work fine with signtool (authenticode) but not with strong naming (the sign drop-down).


Solution


There are two ways to solve this issue:



  1. Create a separate certificate for your strong name using sn -k [name].snk. Sign the assembly using the snk and afterwards use signtool with your code signing certificate to do sign the DLL/EXE with the authenticode signature. While this seems strange, from what I understand this is a correct way to deal with certificates, because strong names have a different purpose than authenticode (see also this link for details on how this works).

  2. Import your certificate as KeySpec=2. The procedure for this is detailed here.


Because I want to use multiple strong names, I currently use option (1), although option (2) also works.




To ensure this solution will never get lost in the future, here's the procedure of solution 2:



  1. Using the "Certifiates" MMC export the existing keyset (KeySpec=1) to a PFX file. Note: Please backup this file to a safe location and test if the file can be imported ok on another machine if you really want to play it safe!

  2. Delete the existing certificate from the crypto store (stlll using the MMC).

  3. Open a CMD prompt.

  4. Import the PFX file using this command:

    1. certutil -importPFX -user AT_SIGNATURE

    2. Enter the passphrase for the pfx when prompted.



You now should have a keyset/certificate with KeySpec=2. If needed you can now export this into another PFX file using the MMC again.

No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...