Choosing Your Certificate

how-to | home

Shared Assembly Signature

To choose a certificate to sign a shares assembly display project properties and select the Signature page:

Click the upper choose button. This will display the system dialog with available certificates:

This dialog displays all certificates in your private store. If the list is empty you have no certificates. Look through the list and find the certificate you would like to use. Remember that this must be a Code Signing certificate with at least 2048 bit key. Click View Certificate to see the details on the selected certificate. Once you make your selection, click OK.

At this point you may get the following error message:

This means you do not have MS Platform SDK utilities installed or Manifest Maker configuration is incorrect. See Files From MS Platform SDK for more details.

After you successfully choose the certificate, the Signature page will display two hexadecimal strings. If you plan to sign the output MSI file, click the lower choose button and select a file signing certificate. The following screenshot shows the same certificate selected for both assembly signature and the MSI file signature. This is not normally done in real applications. The assembly signature is normally a private, self-signed, certificate and the file signature is normally a trusted third party-issued code signing certificate.

These values are used to identify your certificate.

Thumbprint
This value allows Manifest maker to locate the certificate in your certificate store when the time comes to sign the shared assembly.
Public Key Token
This value is written to the manifest to let Windows side-by-side verify the integrity of the shared assembly.

Viewing Signatures

A shared assembly built by Manifest maker has two new files in the assembly directory:

.CAT
This is the assembly catalog. It contains the name of the assembly manifest file along with the manifest hash value. This allows side-by-side to verify assembly integrity. First the integrity of the catalog then the manifest them each file - file hash values are stored in the manifest.
.MSI
This is the Windows Installer database. This file is used to install the shared assembly on the target machine.

If you double-click the .CAT file Windows will open the standard Security Catalog properties dialog:

The above dialog is an illustration of what happens when your Windows do not trust the source of your digital signature - note the error icon and the error message. This is not a problem, because side-by-side does not use the signature to verify the authenticity of the assembly, only its integrity. See Building Shared Assemblies for discussion of this topic. If you would like to get rid of the error message, tell Windows that you trust this signature. See Managing Your Certificates for information on how to do this.