5

I have an application with the following restrictions:

  • It must be distributed via ClickOnce, with the manifest signed by a trusted certificate.
  • The assemblies must also be signed.

I have a PFX which was issued to my company for code signing (1.3.6.1.5.5.7.3.3), and this seems to work fine for signing the manifest if I generate a new key pair. However, if I try to use this PFX to sign the assembly, I get the following error:

Cannot import the following key file: mycert.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_A48FA8964C1342C1

Importing key file "mycert.pfx" was canceled.

I confirmed that

  • The certificate is in the strong name CSP via KeyPal.
  • The PFX does contain a private key.

I have tried the following to resolve this issue:

  • Removing the certificate via MMC and re-adding it to my personal store via Visual Studio (the 'Select from File' option in Project Properties → Signing), MMC, console (certutil), and the 'Install PFX' wizard from explorer. None of these appeared to make any difference.

  • Removing the certificate from the CSP with sn and re-added it both with sn and from Visual Studio by just selecting the PFX from the to sign the assembly (you have to select <Browse> even it already exists in the dropdown list). Neither of these appear to make any difference.

  • Changing the password on the PFX file, this only appears to change the hash that appears after VS_KEY_ in the error. Doing any of the above after changing the password doesn't appear to make any difference.

  • Generating an SNK from the PFX using sn -p and using that SNK to sign the assembly. This results in the following error:

    Cryptographic failure while signing assembly 'myproj.dll' -- 'Error signing assembly -- The parameter is incorrect. '

As I said, I can sign the assemblies with a generated key pair by selecting <New> inside Visual Studio. However, I'd really like to know how I can sign this assembly with the same PFX that I used for the manifest. Any suggestions?

Community
  • 1
  • 1
p.s.w.g
  • 146,324
  • 30
  • 291
  • 331
  • Was this ever resolved? I'm facing a similar issue. – Corey Mar 17 '20 at 19:35
  • 1
    @Corey It's been a while (almost 5 years) since I worked on this project, so my memory's fuzzy, but sadly, no, I don't think it was ever completely resolved. I believe I was only able to work around it by signing with two different keys. It wasn't ideal and we had complaints about the installer not being trusted by all clients. I've since left that company, and I don't know if they ever found a permanent resolution. – p.s.w.g Mar 17 '20 at 21:18
  • 1
    Thanks anyways.For what it is worth I was able to resolve the incorrect parameter issue with by generating my pfx with the -keysig parameter. "openssl pkcs12 -export -inkey privatekey.key -in certificate.crt -out mypfx.pfx -keysig" I then was using "sn.exe -p mypfx.pfx mystrongname.snk" which resulted in having the following error message "missing the private key needed for signing". Finally I was able to use the powershell script in this SO answer to get me up and running: https://stackoverflow.com/a/39549924/4698543 My issue was slightly different, so I won't add this as an answer – Corey Mar 18 '20 at 17:10

0 Answers0