Software development is full of pitfalls. Sometimes it’s the little things that can have you up burning the midnight oil. The dumb stuff that in the cold light of day you wonder how you ever missed. So when you read some of these posts you may end up thinking “Who could be that stupid?”, well it was me and I’m sure I’m not the only one… hence the post.
Using SN.EXE on Vista
So here’s something we ran into the other day while testing installers on Vista. Our installer currently contains delay signed binaries as we don’t do final signing for our nightly builds. We’re installing assemblies in the GAC and running one of them as a custom action as part of the MSI’s installation so before running the MSI we were disabling string name verification for all DLLs signed with our key.
SN.EXE -Vr *,############
Doing this from a Visual Studio command prompt as a (non-administrator) user seems to work just fine – no errors and no Vista security prompt and
SN.EXE - Vl lists the verification skipping entry correctly.
But… the installer fails when it tries to execute assemblies or putting them in the GAC. Similarly if I try and use
GACUTIL.EXE /i to install an assembly from a shell running as administrator it fails.
So disabling strong name verification without administrator rights fails in some way. If I run
SN.EXE from an administrator prompt to disable verification I see exactly the same thing but… the installer works and running
GACUTIL /i on my assembly is fine.
In retrospect this seems a bit odd. A normal user can simply turn off strong name verification!? Obviously not, that would break the Vista security model big time. The trick here is that really all
SN.EXE is doing is editing the registry. It accesses the following key to update the list of strong names that should be skipped:
If you run as administrator this key is accessible and is updated correctly. When you run this as a (non-administrator) user then the registry is virtualized and the following key is used:
Ooops! Clearly not what was intended. This key isn’t going to be found when I try and add something to the GAC. So to all intents and purposes I have not really disabled anything. All I’ve done is written to a registry key that will be ignored.
Personally I think SN should fail here, but there you go. It’s not like I had anything better to do right?
This is fixed in Visual Studio 2008 – more details in my updated post: