Creating and deploying Managed COM add-ins with VB.NET 2005 – Part VII
You can find the earlier post on the subject at the following links:
Part I – Introduction
Part II – Connection
Part III – Notes Tool – Workbooks
Part IV – Notes Tool – Worksheets
Part V – Notes Tool – Main functions
Part VI – COM Shim Wizard
In general I’m an advocator of software’s security and therefore I see it as important to dedicate a post on security when it comes to COM add-ins as well. For a general introduction to Office 2003 security please see the following URL: Security
Using Strong Name Signatures for ‘shimmed’ managed COM add-ins
I started to make a write up on the subject but had difficulties to keep the focus on the essential parts in view of the subject for the series. I then recalled that there recently was an article published in the MSDN Magazine and I was glad when I also found it on the web. The article is good in my opinion and it’s worth reading the whole article, CLR Inside Out – Using Strong Name Signatures. At the bottom of the article Mike Downen also brings up Windows Authenticode.
Digital sign generated standard COM DLLs
This can be applied for both standard COM add-ins, for instance developed with VB 6.0, and generated standard COM DLLs with the COM Shim Wizard.
In order to digital sign DLLs we need a certificate to use which can be bought from a security company like Thawte or Verisign . I use Thawte and I’m both pleased with their certificate and with their service.
To sign a DLL we need to use the SignTool.exe in the following way:
a. Locate the SignTool.exe file on the drive
(one location can be c:Program FilesMicrosoft Visual Studio 8SDKv2.0Bin)
1. Choose Start | Run in Windows and enter ‘cmd’ to open a command window.
2. Change the path to the SignTool’s folder.
3. Enter the following command: signtool signwizard.
4. The graphic wizard should now be started and You can follow the instructions.
In order to timestamp the DLL You need to provide a Timestamp Service URL like the following: http://timestamp.verisign.com/scripts/timstamp.dll (The spelling of the dll’s name is correct)
In many companies the security level in the Office suite is set to ‘High’ and when a COM add-in based solution is installed and Excel is then open the following message is received:
When the end users accept the certificate the company that has signed the DLL is placed in the group of Trusted Publishers which the following picture from Excel shows:
For those of You who only want to test how to digital sign a DLL can use the following tools:
– the Makecert.exe, which generates X.509 certificates for testing purposes only.
– the Cert2spc.exe, which creates, for test purposes only, a Software Publisher’s Certificate (SPC) from one or more X.509 certificates.
In the next post I will cover how we deploy the ‘digital signed shimmed’ managed COM add-in.