C# Programming
10-23-2009, 08:00 AM
I can't believe I'm doing this...
In my job, I have to digitally sign .MSI files before deployment. Previously, this was done using the CAPICOM 2.1 library and a manual wizard-based process to sign the .MSI.
Seeing an opportunity for process improvement, I scripted this process into a drag-and-drop operation where you just drop the .MSI file on the script and it would use the CAPICOM COM objects to find the appropriate code-signing certificate and sign the file for you, baking the signed hash into the file. When you went out to Explorer, you get the properties on the file and click the Digital Signatures tab, whaalaa, you can see the signature!
This process worked great under Windows XP...
Now, move to Windows 7 (we're skipping Vista! http://www.barakasoft.com/script/Forums/Images/smiley_smile.gif). CAPICOM is no longer in the Windows SDK and is no longer supported as it is offically deprecated by MS. MS says that the same functionality CAPICOM provided can be cobbled together using managed code and the .NET Framework.
I've tried to get CAPICOM to work under Windows 7, but I haven't been able to get any of the COM objects to instantiate. So, now I'm trying to poke around the classes under the System.Security.Cryptography namespace and put together a process to digitally sign an .MSI file (or any other file for that matter,) but do it the with the signature in the file. Having a seperate signed hash in a p7s file does me no good. It must be baked into the .MSI just like the old CAPICOM process did it.
Anyone got any clues or research points to rebuilding this process in managed code? Which classes am I looking at?? I can see the the X509 certificates using the classes in the System.Security.Cryptography.X509Certificates namespace, but can't seem to piece together the signing process. What am I missing?
A guide to posting questions on CodeProject (http://www.codeproject.com/scrapbook/ForumGuidelines.asp)[^ (http://www.codeproject.com/scrapbook/ForumGuidelines.asp)]
Dave Kreskowiak
Microsoft MVP
Visual Developer - Visual Basic
*****2006, 2007, 2008
But no longer in 2009...
In my job, I have to digitally sign .MSI files before deployment. Previously, this was done using the CAPICOM 2.1 library and a manual wizard-based process to sign the .MSI.
Seeing an opportunity for process improvement, I scripted this process into a drag-and-drop operation where you just drop the .MSI file on the script and it would use the CAPICOM COM objects to find the appropriate code-signing certificate and sign the file for you, baking the signed hash into the file. When you went out to Explorer, you get the properties on the file and click the Digital Signatures tab, whaalaa, you can see the signature!
This process worked great under Windows XP...
Now, move to Windows 7 (we're skipping Vista! http://www.barakasoft.com/script/Forums/Images/smiley_smile.gif). CAPICOM is no longer in the Windows SDK and is no longer supported as it is offically deprecated by MS. MS says that the same functionality CAPICOM provided can be cobbled together using managed code and the .NET Framework.
I've tried to get CAPICOM to work under Windows 7, but I haven't been able to get any of the COM objects to instantiate. So, now I'm trying to poke around the classes under the System.Security.Cryptography namespace and put together a process to digitally sign an .MSI file (or any other file for that matter,) but do it the with the signature in the file. Having a seperate signed hash in a p7s file does me no good. It must be baked into the .MSI just like the old CAPICOM process did it.
Anyone got any clues or research points to rebuilding this process in managed code? Which classes am I looking at?? I can see the the X509 certificates using the classes in the System.Security.Cryptography.X509Certificates namespace, but can't seem to piece together the signing process. What am I missing?
A guide to posting questions on CodeProject (http://www.codeproject.com/scrapbook/ForumGuidelines.asp)[^ (http://www.codeproject.com/scrapbook/ForumGuidelines.asp)]
Dave Kreskowiak
Microsoft MVP
Visual Developer - Visual Basic
*****2006, 2007, 2008
But no longer in 2009...