none
Code Signing Office Add-in RRS feed

  • Question

  • Hello All,

    It's release time so we procured a real Code Signing certificate from Comodo (i put the same ticket in over there in case they have something to say).

    When I try to sign my assembly through the project properties GUI I get the following error:  
    "Cannot import the following key file: blah.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_501A6A1A79702956"

    I've followed the errors instruction, I've changed the password, I've used the VS command line tool to add the key.  All of these were instructions from the web but none are working.

    This is a COM Word add-in created with an AddinExpress template in VS2010 Ultimate.  No matter what I do I keep getting the same error.

    Anyone else come across this?  I really appreciate your help.

    Thank you in advance,

     

    Nick Metnik

    Tuesday, July 12, 2011 8:26 PM

Answers

All replies

  • Hello Nick,

    I suppose you get this on the Signing tab in VS. If so, that means you need to use an .snk file on this tab. As to the .PFX file, you need to use the SignTool.exe utility, the best place for doing this is PostBuildEvent.


    Regards from Belarus (GMT + 2),

    Andrei Smolin
    Add-in Express Team Leader
    Thursday, July 14, 2011 10:28 AM
  • Hello Andrei,

    Thank you for the response.  I have a ticket open with Microsoft for $259 yuck, so if you can solve my problem your saving me some $$$ :)
    How do I go about converting .pfx to .snk and do I use both (snk for the signing tab and pfx for the post build)?  I'm also using your Add-in Express so do I have to do anything with your DLLs as well?

    I'm sure Google can answer my first question but if you can that would be excellent. 

    Thank you so much for taking your time to answer,

    Nick Metnik

    Thursday, July 14, 2011 2:53 PM
  • No conversion required. These are two different "signings": you use .PFX to digitally sign adxloader.dll and your add-in assembly, please see http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx. Pay attention to the comment on that page.
    Regards from Belarus (GMT + 2),

    Andrei Smolin
    Add-in Express Team Leader
    Thursday, July 14, 2011 3:09 PM
  • Thank you Andrei, I'll give this a shot and get back to you.

     

    Nick

    Thursday, July 14, 2011 3:46 PM
  • Hello again Andrei,

    Are you referring to "C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\SignTool.exe" sign /f "C:\VBProjects\Authenticode\BuenoSoftware.pfx" /p "P@ssw0rd" /v /t http://timestamp.comodoca.com/authenticode %1.exe >SignIt_Output.txt" at the bottom of the page?

    If so how do I go about getting a .snk, would I just use "makecert.exe"?

    Also this is being packaged into an msi via your setup project so if I call my batch file in PostBuildEvent will it include the signed assembly or is it too late?

    Sorry for my noobness, I'm having troubles finding good examples that are relevant to my scenario.

     

    Thanks again,

     

    Nick

    Thursday, July 14, 2011 8:28 PM
  • Also Andrei following your article:  http://www.add-in-express.com/programming-internet-explorer/deployment.php seems to have some promising results instead of relying on VS2010.  I'll let you know how that goes since it completed successfully and even said it was "Signing..."

    I'll report back once I try it on a Vista and Win7 machine.

    Thank you,

     

    Nick

    Thursday, July 14, 2011 9:09 PM
  • Ok problem solved.

    1. I exported the pfx from my personal store in certmgr.msc with the following options:  Yes to "export private key...", uncheck everything else.

    2. I deleted the cert from the personal store.

    3. I then used the VS command line utility and ran the following command:  certutil -importPFX -user <pfxfilename> AT_SIGNATURE

    4. Finally I verified it was in the personal store and referenced it in VS2010 via <browse>.

    It's a confirmed bug and will be addressed next build but I hope this helps someone else.  Here is a related article that lead to this conclusion:  http://blogs.msdn.com/b/andrekl/archive/2008/01/08/strong-name-signing-in-visual-studio-2005-requires-keyspec-2-at-signature.aspx

    Thank you,

    Nick

     

    Friday, July 15, 2011 5:10 AM
  • No conversion required. These are two different "signings": you use .PFX to digitally sign adxloader.dll and your add-in assembly, please see http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx. Pay attention to the comment on that page.
    Regards from Belarus (GMT + 2),

    Andrei Smolin
    Add-in Express Team Leader
    I'm marking this as an answer because you do have to sign the msi on postbuild like the comment on the link above suggests.
    Friday, July 15, 2011 5:14 PM