Link to home
Create AccountLog in
Avatar of John
JohnFlag for Canada

asked on

How do I sign my assembly

I have a Windows Forms Application written in VB using Visual Studio 2010 that is signed but the code signing certificate has expired so I'm trying to figure out how to rebuild the assembly using a new certificate.

I used Internet Explorer -> Tools -> Internet Options -> Content -> Certificates -> Export

I asked it to export a Private key, use .PFX format, include all certificates, and to export all extended properties

This produced a .PFX file called MyApp.pfx

When I try to specify this file on the Signing tab of the My Project section (Choose a strong name key file) of my VS 2010 project, after entering the password, I get the following error message:

"Cannot find the certificate and private key for decryption"

What am I doing wrong?

Also, I have the following post-build command:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool" sign /f C:\Path\MyCodeSigningCertificatePrivateKey.pfx /p xxxx $(TargetFileName)

This command executes without error.

It appears to me that this is re-signing the assembly after every build making the checked "Sign The Assembly" option on the Signing tab of my VS 2010 project redundant. Am I correct?

Avatar of Jacques Bourgeois (James Burger)
Jacques Bourgeois (James Burger)
Flag of Canada image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of John


Thanks. The new key was imported onto the computer (it's the same development computer... the old code signing key simply expired so we got an updated one).
Expired keys do not really expire. At least, not those generated by snk. If you use them only in-house, you can usually continue to use them after the expiration. It looks as if that date is only an indicator, nothing else.

The one I currently use expired in 2010 and still does its job, at least in standard versions of Windows. I have never developed something designed to be run on a server, so things might be different there.

But you can have problems signing old projects with new keys. If these projects are referenced by other projects, they are considered to be something else and are rejected. Once a project is signed, the signature becomes part of its identification for a lot of validations in the framework. This is done so that nobody can spoof your assembly, by creating another one with the same name and object model as yours, that could replace yours and create a security risk.
Avatar of John


Signing the tool in the post-build seems to work.