Saturday, April 24, 2010

Signing Assemblies with a Strong Name

Code Analysis/FXCop warned me that my credit card application was not signed with a Strong Name, which would make it more difficult to determine if the assemblies had been tampered with. For more information on Strong Names and why they're a good thing, see this Tech Republic article.

you first need a cryptographic key before you can sign an assembly. The key is created using the sn.exe tool provided by the Windows SDK.
sn.exe -k sgKey.snk
I added my sgKey.snk file to my project in Visual Studio, and then in the Application's properties I went to the Signing tab, checked the "Sign the assembly" box, and specified my key file.

I had forgotten that I used a 3rd party library to manage logging the user out after a configurable period of inactivity and their assembly was not signed. You can't sign an assembly unless all of its dependencies are signed as well, which makes sense. You need to replace the unsigned assemblies with signed ones first.
If you can compile the 3rd party library from source, you can sign it yourself; otherwise you'll want to ask them to provide you with a signed assembly. I was in an odd situation where I had compiled the library but had not saved the code, and couldn't find the open source project from which I originally gotten the code. My solution was to sign it myself by disassembling the assembly, and re-assembling it using my key.

The ildasm.exe tool is used to disassemble .NET assemblies.
ildasm /output:Timer.il Timer.dll
Then, the ilasm.exe tool let me provide my key file and re-assemble the library so I had a signed assembly.
ilasm /dll /key:sgKey.snk  Timer.il
ildasm.exe is provided by the Windows SDK, and ilasm can be found in your %WINDIR%\Microsoft.NET\Framework\v## directory (where ## is replaced by an appropriate version number of the .NET Framework).

It's not uncommon to have multiple versions of .NET installed on a computer, let alone on a developer's computer, so be sure to use ilasm.exe for the lowest version of .NET you wish to support when you re-assemble your library. You can't assemble it with v4.0.30319\ilasm.exe if you're targeting a .NET 2.0 platform.

Thursday, April 22, 2010

Code Analysis in Visual Studio

Continuing to play around with Visual Studio 2010 Ultimate, I ran the Code Analysis tool on some code I had written for a customer-- a desktop-based application which securely stores credit card information using hardware identifiers as portions of the encryption key. I started with over 300 warnings and have now worked them down to around 120 warnings or so. Those that remain are Globalization related, which I'm not concerned about since it was a one-off project that is unlikely to be internationalized. FxCop, the utility which Code Analysis is based on, is freely available online.

Tuesday, April 20, 2010

Visual Studio 2010 Released

If you haven't heard the news already (which I hadn't because I typically don't keep up with such things), Visual Studio 2010 came out earlier this month. I've been playing around with Visual Studio 2010 Ultimate (a 90-day trial version is available) and I must say I'm impressed. Microsoft has finally added common features like block editing and text-zoom, an Extension Manager to extend the IDE à la Eclipse, and support for jQuery. If I were a Fortune 500 company hacking out Windows code all day I could justify a couple of licenses if it really helped my developers efficiently produce a more secure and stable application, but the price tag puts it far out of reach for my needs. I'll stick with either VS2005 or C# Express 2010.

I'll probably post a few follow-up entries as I explore more throughout the next 90 days, so be sure to keep an eye out!