C# code signing with pfx

Question

I feel like this shouldn't be all that hard but I'm going crazy trying to get it to work. I have found so many different things to try and nothing seems to be working.

I am trying to sign a WPF assembly using a .pfx file. If I try to use the original file I get "Cannot find the certificate and private key for decryption."

If I import the key and export it again deselecting "Include all certificates in the certificate path if possible" it seems to work. When I go to build however I get "Error 1 Cannot import the following key file: my_key.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name:"

I can sign the ClickOnce manifests fine, just not the assembly. Any suggestions on how to make this work?

Answer 1

I've had similar problems, and after years of C# development in (VS 2005 to 2012) have never managed to find a way of using a .pfx file from a certification authority to code sign from the project properties. There are assembly attributes and project settings for code signing, all of which seem to interfere with each other, and none of which work. The project properties form asks for a password for the pfx (which does not seem to get stored anywhere) and then the signing fails because the password's broken. I suspect nobody at MS has ever actually used this code signing feature with a bought certificate, only with self-signing certificates that VS has created locally.

If you want to obfuscate your code, you also have to sign it after obfuscation, so you couldn't use any of these methods even if they worked.

The only reliable solution I have found is to use signtool.exe as a post-build step. And once you've set this up, you'll probably no longer care whether there is a better way.

When you purchase a certificate it'll usually be installed directly into your PC's certificate store, so you can code-sign with it directly from the store in a post-build step, something like this:

"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool" sign
    /n CertificateName
    /tr http://timestamp.comodoca.com/rfc3161
    "$(TargetPath)"

Notes:

• You may need to search to find where signtool.exe is on your PC, and use the one in the most recent SDK version you can find to get an up to date version of it - you have to use a full path in the post-build command for it to work
• "CertificateName" is the name of the certificate you have bought, in your personal certificate store
• The URL here is an example (in this case for Comodo's timestamp server), just change it to the server from your own provider

Or to do it using a .pfx file:

"C:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool" sign
    /f CertificateFile.pfx /p Password
    /tr http://timestamp.comodoca.com/rfc3161
    "$(TargetPath)"

(where CertificateFile.pfx is the pfx file, and "Password" is the password for using the file. To get a pfx file out of your certificate store, run "certmgr.msc" and find the certificate (probably in Personal\Certificates), right click it and choose All Tasks > Export...)

Super easy. Why doesn't anyone anywhere on the internet (like, say, the certification authorities who sell the things) simply say this in the first place?!