Gotchas: Using SN.EXE on Vista
Thursday, September 27, 2007 – 10:23 AMSoftware development is full of pitfalls. Sometimes it’s the little things that can have you up burning the midnight oil. The dumb stuff that in the cold light of day you wonder how you ever missed. So when you read some of these posts you may end up thinking “Who could be that stupid?”, well it was me and I’m sure I’m not the only one… hence the post.
Using SN.EXE on Vista
So here’s something we ran into the other day while testing installers on Vista. Our installer currently contains delay signed binaries as we don’t do final signing for our nightly builds. We’re installing assemblies in the GAC and running one of them as a custom action as part of the MSI’s installation so before running the MSI we were disabling string name verification for all DLLs signed with our key.
SN.EXE -Vr *,############
Doing this from a Visual Studio command prompt as a (non-administrator) user seems to work just fine – no errors and no Vista security prompt and SN.EXE - Vl
lists the verification skipping entry correctly.
But… the installer fails when it tries to execute assemblies or putting them in the GAC. Similarly if I try and use GACUTIL.EXE /i
to install an assembly from a shell running as administrator it fails.
So disabling strong name verification without administrator rights fails in some way. If I run SN.EXE
from an administrator prompt to disable verification I see exactly the same thing but… the installer works and running GACUTIL /i
on my assembly is fine.
In retrospect this seems a bit odd. A normal user can simply turn off strong name verification!? Obviously not, that would break the Vista security model big time. The trick here is that really all SN.EXE
is doing is editing the registry. It accesses the following key to update the list of strong names that should be skipped:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification
If you run as administrator this key is accessible and is updated correctly. When you run this as a (non-administrator) user then the registry is virtualized and the following key is used:
HKEY_USERS\<User SID>_Classes\VirtualStore\MACHINE\
SOFTWARE\Microsoft\StrongName\Verification
Ooops! Clearly not what was intended. This key isn’t going to be found when I try and add something to the GAC. So to all intents and purposes I have not really disabled anything. All I’ve done is written to a registry key that will be ignored.
Personally I think SN should fail here, but there you go. It’s not like I had anything better to do right?
This is fixed in Visual Studio 2008 – more details in my updated post:
2 Responses to “Gotchas: Using SN.EXE on Vista”
Great!
I built another tool that will handle all sn.exe activities.It can be downloaded free at
http://sourceforge.net/projects/securemyapp/.
Still in beta but works.I have more tools to add.
Talley
Raleigh,NC
By Talley on Sep 29, 2009