Mono's Security Tools - README
+Last updated: January 20, 2005
+
+* General notes
- This directory contains clones for .NET security tools;
-- All tools are 100% managed code with no dependency to the Mono's runtime or any other libraries.
-- A much as possible the same command line arguments are used;
-- Documentation (man) is available for some tools;
-- All tools, except secutil.exe, requires the Mono.Security.dll assembly.
+- All tools are 100% managed code with no dependency to the Mono's runtime,
+ except permview (which wouldn't be possible in managed code in Fx 1.0/1.1).
+- A much as possible the same command line arguments as the original are used;
+- Documentation (man) is available for most tools;
+- Authenticode(r) support is MINIMAL - there are still many missing
+ validations.
+
+
+* Authenticode tutorial
+
+1. Getting a test certificate
+
+The tool makecert.exe can create test certificates. The test certificates are
+only trusted by Mono's security tools (i.e. the resulting signature won't be
+valid on Windows [1]). For "real" certificates you must deal with (and pay) a
+trusted commercial CA (or you can have your own CA inside your entreprise).
+
+The command:
+mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
+
+will create both a PVK file (containing your private key) and a CER file
+(containing the X.509 certificate). This step will take some time because the
+tools must generate your own keypair (in this case a 1024 bits RSA keypair).
+
+example:
+mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer
+
+
+2. Getting a SPC file
+
+The certificate file (.cer) must be converted into a SPC (software publisher
+certificate) file before signing any assembly (or executable file).
+
+The command:
+mono cert2spc.exe yourcert.cer yourspc.spc
+
+will create your SPC file from your X.509 certificates files.
+
+example:
+mono cert2spc.exe spouliot.cer spouliot.spc
+
+
+3. Signing an assembly
+
+You need both your PVK (private key) and SPC files to sign an assembly (or
+any PE file). You may also include a countersignature in your assembly using
+a timestamp server (so the signature can still be verified after your
+certificate is expired).
+
+The command:
+mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t
+http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe
+
+will sign the specified PE file using your private key and embed your
+certificate and a timestamp. Note: there are no "e" in timstamp.dll !
+
+example:
+mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t
+http://timestamp.verisign.com/scripts/timstamp.dll small.exe
+
+
+4. Checking an assembly
+
+Anyone can now validate the assembly signature using the chktrust tool.
+
+The command:
+mono chktrust.exe yourassembly.exe
+
+will verify the integrity of the specified PE file. Any change to the file
+will invalidate it's signature.
+
+example:
+mono chktrust.exe small.exe
+
+
+
+[1] FOR TEST PURPOSE ONLY ON WINDOWS
+
+As stated you can "activate" the Mono's test certificate by doing the
+following steps.
+
+a. Generate the Mono's root certificate
+ mono makecert.exe -r mono.cer
+b. Double-click on the mono.cer file
+c. Click on the "Install certificate..." button
+d. Read everything then, if you still want to, answer YES to add the test
+ certificate in your TRUSTED root certificates.
-Last updated: March 6, 2003 (post mono 0.22)
+Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your
+system. This is bad for several reason, foremost that EVERYONE has access to
+it's private key! Please remove the test certificate AS SOON as you have
+finished testing using it.
-Sebastien Pouliot
-Security Architect, Motus Technologies, http://www.motus.com/
-work: spouliot@motus.com
-home: spouliot@videotron.ca
+--------------------
+sebastien@ximian.com
projects / mono.git / blobdiff