Authenticode and Assemblies

re: Authenticode and Assemblies

JohnB — Tue, 13 Dec 2005 18:50:10 GMT

We encountered severe problems with signed assemblies - if the CRL server is not reachable (ex if you're behind a firewall) the startup of the application is blocked for a couple of seconds. Funny thing is, the Assembly will then be loaded nevertheless, so the whole check seems pointless to me. IMHO, it should be possible to entirely trust signed assemblies in order to prevent the CLR from checking with the CRL. Completely switching off the check (possible in the advanced tab of the internet settings) is not an acceptable workaround. We will remove the digital signature from our assemblies for these reasons...

re: Authenticode and Assemblies

shawnfa — Tue, 13 Dec 2005 19:29:05 GMT

Right -- if a signature fails to verify we don't block the load, rather we just don't grant the publisher identity permission associated with the certificate.

-Shawn

re: Authenticode and Assemblies

JohnB — Tue, 13 Dec 2005 21:37:19 GMT

If you think of it from a third party component vendor perspective it's a pity it works like it does - as soon as someone inserts our assembly into his application, he gets the firewall popping up and once he denies the connection, he ends up with a few second delay at app startup. We had to face severe accusations of producing spyware or trojans until we found out what's actuall happening here. You can google for several threads from component vendors with the same problem - as of now, IMO using digital signatures with .NET assemblies is not recommendable as long asw you don't write code for specific customers to whom you can explain what's happening.

re: Authenticode and Assemblies

Kevin Read — Wed, 14 Dec 2005 02:23:43 GMT

We have also encountered problems with signed assemblies and CRL checking.

In our case, the problems encountered happened on our backend servers, where this assembly loading delay was completely unacceptable.

For these servers, we decided to go down the road of turning off crl checking to return assembly loading performance to "normal". Unfortunately this is a per user setting, which meant implementing login scripts and registry changes for inbuilt accounts.

On these servers we have actually locked down CAS Policy so that only known publishers have any permissions, anything else in any zone gets nada.

re: Authenticode and Assemblies

shawnfa — Wed, 14 Dec 2005 21:52:32 GMT

Sure -- you have to evaluate the costs of signing with a certificate vs the benefits it gives you.

Costs include the startup delay as we attempt to verify the signature, which does involve getting a new CRL.

If you're disabling the CRL, and could make a trust decision based upon just a key, strong naming might be a better option for you.

-Shawn

re: Authenticode and Assemblies

Foo — Fri, 24 Feb 2006 09:41:05 GMT

A simple solution to the CRL check overhead is to use authenticode certificates that don't have a CDP embedded in them. Of course, this generally implies a self-signed cert, but we've found this to be an acceptable compromise.

re: Authenticode and Assemblies

Daniel — Thu, 16 Nov 2006 10:01:49 GMT

The CRL check can be disastrous if the check happens during an install and it's a service exe (or dependency) that's being checked. The service only has 30 seconds to start and if the network is in a broken state, then the service never starts and the install craps out.

I don't understand why Microsoft tells ISVs that Authenticode signatures must be used for Vista Logo compliance.

Especially when this failure is very easy to reproduce.

re: Authenticode and Assemblies

shawnfa — Mon, 18 Dec 2006 04:07:27 GMT

Yes, services are an especially painful point for this issue. If you need to write a managed service, you could write a thin native layer which is the signed entyr point, and delegates to managed code to do the rest of the work as one option.

-Shawn

Untitled Document

Untitled Document — Mon, 18 Dec 2006 10:17:02 GMT

PingBack from http://www.autocadgunlugu.com/autodesk%e2%80%99in-internet-uzerinden-kontrol-yaptigi-soylentileri-yayiliyor/

re: Authenticode and Assemblies

George Birbilis — Thu, 01 Feb 2007 22:55:48 GMT

btw, checkout

http://forum.sysinternals.com/forum_posts.asp?TID=2845

Enumerating Evidence

.Net Security Blog — Fri, 23 Feb 2007 20:15:39 GMT

The Evidence class supports being enumerated in three different ways: GetAssemblyEnumerator GetHostEnumerator

re: Authenticode and Assemblies

... — Sat, 21 Apr 2007 14:15:30 GMT

Scommettevo che avete speso molto tempo lavorare al luogo. Ha valso la pena di fare;)

Bypassing the Authenticode Signature Check on Startup

.Net Security Blog — Mon, 07 May 2007 21:25:37 GMT

A while back I wrote about the performance penalty of loading an assembly with an Authenticode signature