Mono's Security Tools - README Last updated: January 20, 2005 * General notes - This directory contains clones for .NET security tools; - All tools are 100% managed code with no dependency to the Mono's runtime, except permview (which wouldn't be possible in managed code in Fx 1.0/1.1). - A much as possible the same command line arguments as the original are used; - Documentation (man) is available for most tools; - Authenticode(r) support is MINIMAL - there are still many missing validations. * Authenticode tutorial 1. Getting a test certificate The tool makecert.exe can create test certificates. The test certificates are only trusted by Mono's security tools (i.e. the resulting signature won't be valid on Windows [1]). For "real" certificates you must deal with (and pay) a trusted commercial CA (or you can have your own CA inside your entreprise). The command: mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer will create both a PVK file (containing your private key) and a CER file (containing the X.509 certificate). This step will take some time because the tools must generate your own keypair (in this case a 1024 bits RSA keypair). example: mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer 2. Getting a SPC file The certificate file (.cer) must be converted into a SPC (software publisher certificate) file before signing any assembly (or executable file). The command: mono cert2spc.exe yourcert.cer yourspc.spc will create your SPC file from your X.509 certificates files. example: mono cert2spc.exe spouliot.cer spouliot.spc 3. Signing an assembly You need both your PVK (private key) and SPC files to sign an assembly (or any PE file). You may also include a countersignature in your assembly using a timestamp server (so the signature can still be verified after your certificate is expired). The command: mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe will sign the specified PE file using your private key and embed your certificate and a timestamp. Note: there are no "e" in timstamp.dll ! example: mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t http://timestamp.verisign.com/scripts/timstamp.dll small.exe 4. Checking an assembly Anyone can now validate the assembly signature using the chktrust tool. The command: mono chktrust.exe yourassembly.exe will verify the integrity of the specified PE file. Any change to the file will invalidate it's signature. example: mono chktrust.exe small.exe [1] FOR TEST PURPOSE ONLY ON WINDOWS As stated you can "activate" the Mono's test certificate by doing the following steps. a. Generate the Mono's root certificate mono makecert.exe -r mono.cer b. Double-click on the mono.cer file c. Click on the "Install certificate..." button d. Read everything then, if you still want to, answer YES to add the test certificate in your TRUSTED root certificates. Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your system. This is bad for several reason, foremost that EVERYONE has access to it's private key! Please remove the test certificate AS SOON as you have finished testing using it. -------------------- sebastien@ximian.com