« Monad Release for Whidbey RTM | Main | Halloween Theme »

October 30, 2005

get-help about_signing

In the latest drop of Monad we changed the default ExecutionPolicy from "RemoteSigned" to "Restricted". The upshot of this is that people will likely receive messages that point them to "get-help about_signing" for more information.

Unfortunately we did not have the actual help written in time to include it with the drop--before we do a drop we have to build it, then sign it, then build a setup file, then sign that, then run a battery of tests on various architectures and operating systems, and then package it up for download. This all takes time (a couple of weeks, more or less) and we wanted to release the new bits sooner not later because the RTM of Whidbey is now available and people are hankering for Monad.

In the meantime we now have a version of the about_signing help file, written by Lee Holmes. We added it to the .zip you download with Monad, and if you want it to be picked up by get-help inside Monad, just copy the file about_signing.help.txt to your Monad installation directory. But I'm also including it right here in the hope that it will get picked up by anyone who searches the web for the file. And I'll put the name in the link text in case that helps. So here it is: about_signing.

Posted by AdamBa at October 30, 2005 06:13 PM

Trackback Pings

TrackBack URL for this entry:


You or Lee or someone might want to run that past the code signing team before you release the final version. "creates a local certificate authority" isn't really what happens. MAybe that was jsut mistyped, though.
Our team also really needs to do a doc scrub and figure out which URL(s) to have other folks point to for general Authenticode info.

I offer my heaping praises to you guys for not mucking with .pvk files.

How do you handle a signature from an expired certificate('s private key)?

Posted by: Drew at October 30, 2005 07:03 PM

We are calling WinVerifyTrust() which has all that logic. If the cert is expired, the call should fail.

- adam

Posted by: Adam Barr at October 30, 2005 10:16 PM

Correct -- the call does fail, unless the signature was time-stamped as well. If it is time-stamped, then the Authenticode infrastructure accepts the signature as long as the certificate was valid at the time the file was signed.

If it was not time-stamped, then the signature is only valid until the certificate expires.

(I'm not making this comment for the edification of either of you, obviously :) )

Posted by: Lee at October 31, 2005 12:15 AM

Gotcha. Didn't see any mention of timestamping in that help text so I didn't know whether you supported it. (In that respect, yes, your comment was edifying, Lee.)

Posted by: Drew at October 31, 2005 12:27 AM