102 lines
3.2 KiB
Plaintext
102 lines
3.2 KiB
Plaintext
|
Mono's Security Tools - README
|
||
|
Last updated: January 20, 2005
|
||
|
|
||
|
* General notes
|
||
|
|
||
|
- This directory contains clones for .NET security tools;
|
||
|
- All tools are 100% managed code with no dependency to the Mono's runtime,
|
||
|
except permview (which wouldn't be possible in managed code in Fx 1.0/1.1).
|
||
|
- A much as possible the same command line arguments as the original are used;
|
||
|
- Documentation (man) is available for most tools;
|
||
|
- Authenticode(r) support is MINIMAL - there are still many missing
|
||
|
validations.
|
||
|
|
||
|
|
||
|
* Authenticode tutorial
|
||
|
|
||
|
1. Getting a test certificate
|
||
|
|
||
|
The tool makecert.exe can create test certificates. The test certificates are
|
||
|
only trusted by Mono's security tools (i.e. the resulting signature won't be
|
||
|
valid on Windows [1]). For "real" certificates you must deal with (and pay) a
|
||
|
trusted commercial CA (or you can have your own CA inside your entreprise).
|
||
|
|
||
|
The command:
|
||
|
mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
|
||
|
|
||
|
will create both a PVK file (containing your private key) and a CER file
|
||
|
(containing the X.509 certificate). This step will take some time because the
|
||
|
tools must generate your own keypair (in this case a 1024 bits RSA keypair).
|
||
|
|
||
|
example:
|
||
|
mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer
|
||
|
|
||
|
|
||
|
2. Getting a SPC file
|
||
|
|
||
|
The certificate file (.cer) must be converted into a SPC (software publisher
|
||
|
certificate) file before signing any assembly (or executable file).
|
||
|
|
||
|
The command:
|
||
|
mono cert2spc.exe yourcert.cer yourspc.spc
|
||
|
|
||
|
will create your SPC file from your X.509 certificates files.
|
||
|
|
||
|
example:
|
||
|
mono cert2spc.exe spouliot.cer spouliot.spc
|
||
|
|
||
|
|
||
|
3. Signing an assembly
|
||
|
|
||
|
You need both your PVK (private key) and SPC files to sign an assembly (or
|
||
|
any PE file). You may also include a countersignature in your assembly using
|
||
|
a timestamp server (so the signature can still be verified after your
|
||
|
certificate is expired).
|
||
|
|
||
|
The command:
|
||
|
mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t
|
||
|
http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe
|
||
|
|
||
|
will sign the specified PE file using your private key and embed your
|
||
|
certificate and a timestamp. Note: there are no "e" in timstamp.dll !
|
||
|
|
||
|
example:
|
||
|
mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t
|
||
|
http://timestamp.verisign.com/scripts/timstamp.dll small.exe
|
||
|
|
||
|
|
||
|
4. Checking an assembly
|
||
|
|
||
|
Anyone can now validate the assembly signature using the chktrust tool.
|
||
|
|
||
|
The command:
|
||
|
mono chktrust.exe yourassembly.exe
|
||
|
|
||
|
will verify the integrity of the specified PE file. Any change to the file
|
||
|
will invalidate it's signature.
|
||
|
|
||
|
example:
|
||
|
mono chktrust.exe small.exe
|
||
|
|
||
|
|
||
|
|
||
|
[1] FOR TEST PURPOSE ONLY ON WINDOWS
|
||
|
|
||
|
As stated you can "activate" the Mono's test certificate by doing the
|
||
|
following steps.
|
||
|
|
||
|
a. Generate the Mono's root certificate
|
||
|
mono makecert.exe -r mono.cer
|
||
|
b. Double-click on the mono.cer file
|
||
|
c. Click on the "Install certificate..." button
|
||
|
d. Read everything then, if you still want to, answer YES to add the test
|
||
|
certificate in your TRUSTED root certificates.
|
||
|
|
||
|
Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your
|
||
|
system. This is bad for several reason, foremost that EVERYONE has access to
|
||
|
it's private key! Please remove the test certificate AS SOON as you have
|
||
|
finished testing using it.
|
||
|
|
||
|
--------------------
|
||
|
sebastien@ximian.com
|