Combining Strong Names with Authenticode

re: Combining Strong Names with Authenticode

Alan McFarlane — Mon, 15 Jan 2007 21:44:03 GMT

Not directly related to this post, but... As *the* source of all useful and up-to-date information on CLR security, do you have any plans for a posting on the effect of IE7 on CAS etc?

I was investigating the NetworkCodeGroup ‘same site’ WebPermission behaviour in the Internet and Intranet zones, and only managed to get it to work in the latter zone after poking and prodding IE7. Needing to enable “Intranet Settings” apparently...

I discovered that by luck on loading a HTML page in that zone and the information bar prompting me... Do you know if that’s the only effect installing IE7 has?

Alan

BTW I never got it to work in the Internet zone... Is there any way to find which rights have been granted to a running app? In those zones an app it can’t read its own rights of course.

re: Combining Strong Names with Authenticode

shawnfa — Wed, 17 Jan 2007 21:27:43 GMT

Hi Alan,

I haven't thought about doing an IE7 post, but basically we rely on IE to map zones and we rely on zones in default policy as you noticed. I don't know all the details on the changes to IE7's zone mapping policy, but I do know that they default to Internet if they don't know what to do, and that they're much more strict in IE 7.

Apps can't self-discover their zone at that trust level as you notice (outside of heuristics like doing various demands and noticing what succeeds). The easiest way to figure this out would be to attach a debugger and look at the AppDomain Evidence for the entry domain. (Or use the IE 7 browser as you did in your example).

-Shawn

Combining Strong Names with Authenticode

Readme.blg — Fri, 19 Jan 2007 08:03:00 GMT

http://blogs.msdn.com/shawnfa/archive/2007/01/10/combining-strong-names-with-authenticode.aspx

re: Combining Strong Names with Authenticode

David J. Smith — Fri, 19 Jan 2007 15:24:25 GMT

Great post. I think there is much confusion between "code signing" and "strong naming".

There's also a great post about it here: http://www.robrich.org/archive/2006/11/29/Code-Signing-two-worlds-defined.aspx

Authenticode and Strong naming ("signing")

David J. Smith's Blog — Sun, 21 Jan 2007 08:50:39 GMT

It kills me that the names for these processes are "Code signing" and "Strong Name signing". So this

re: Combining Strong Names with Authenticode

Alan McFarlane — Mon, 22 Jan 2007 19:02:31 GMT

Thanks Shawn.

Yup, given that this is solely down to the change in IE7's Zone behaviour, it would be a short post here. Unfortunately I can't find it documented anywhere, so anyone else will have to discover the solution independently. :-( I can guess that the IE blog people might say, oh that's a .NET issue... Anyway, maybe these comments might be findable in google. :-)

I'll try a attaching a debugger when I have a look at this again. Thanks.

Alan