Lots of people are familiar with obtaining and installing SSL Certificates for hosting secure web sites, but the area of code signing seems less cohesive. I’ve compiled some notes I have on the process together in this blog post.

Yes, but who are you?

Reputable publishers of code signing certificates require some evidence that you are authorized with respect to the organization you wish to have named on your certificate. In my case, being able to produce the ASIC registration for my company was enough, YMMV.

This is subtle, but important.

1. My company rego papers are credentials a Root CA (e.g Comodo, Verisign, Thawte, USERTrust etc) uses to trusts me.
2. The user (implicitly) trust the Root CA by using an OS with their Certificate installed.
3. Ergo, the user (indirectly) trusts me.

Macro projects in Microsoft Excel/Word/Visio/Access/etc

Once you have obtained your certificate, you are able to sign Macro projects in Office document templates by choosing Tools -> Digital Signature.

Your newly purchased certificate will appear in the list and by saving the project your template is signed. The difference is now the user is asked to trust you (as verified by the CA) and your code, rather than being asked to enable all macros.

Software distributed MSI packages

Signing MSI packages and CAB files is more visible than ever before in Windows Vista. This I think is a good thing, however I do worry that because there are a lot of unsigned installers out there that users may get the message that it’s not that important.

Once you have got your certificate from a CA, the process couldn’t be easier. There are a couple of ways to get signtool.exe, I usually have the Windows SDK on my machines which ships with it.  The command to sign ClassLibrary1.dll for example is: (assuming signing from a pfx, not the local cert store)

C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\signtool.exe sign /f My_Code_Signing_Cert.pfx /p L0ng5ecr3tp@ssw0rd /d name /du http://www.MyCompany.com /t http://timestamp.verisign.com/scripts/timestamp.dll ClassLibrary1.dll

The time stamping is important here, in that certificates expire. An external time stamp ensures that the assembly was signed while the certificate was valid.

.NET Assemblies

Technically, signing an assembly is not unlike signing an MSI. On one hand it is easier because you can do the signing from inside Visual Studio’s project properties

On the hand there is the concept of delay signing, where the actual private key is not available to the developer on a day-to-day basis.  This added security adds a layer of complexity that is frankly beyond the scope of this post. I will come back and dedicate a whole post to it some time

Windows Logo Certification / WinQual

This is the only case I can think of where the vendor of the certificate matters. A certificate from VeriSign is required to prove your identity in the WinQual program, which is required for a Windows Logo certification. VeriSign has special pricing is on offer for members of Windows Quality Online Services site.  The $99 cert from VeriSign is required for WinQual membership, and is all you need if you already have a code signing certificate. The $399 cert is valid for both code signing and WinQual membership.

So looking forward to another year in Visual Studio, and this year in Visual Studio 2008 no less! 

I thought I'd open 2008's blog posts with a note about what is in my toolkit at the moment for developing in VS2008.  So in no particular order...

What is in?

• Visual Studio 2008.  I played with it since Beta1, and blogged about it a bit too.  Living in the RTM now and quite liking it.
• Refactor! Pro and Coderush from Developer Express are still on my list.  There is a new version (3.0.5 at time of writing) out that has some cool new improvements.
  
• Aptana Studio.  I heard about this Eclipse-based IDE on the Hanselminutes podcast and had to check it out.  There are some good features in there for CSS and JS.  Worth having around and they cram a lot of IDE into a tiny space!
• The PowerShell Visual Studio Templates.  Powershell is getting more and more use in my life, and I love the idea of rolling your own cmdlet (pronounced:  "command-let") to manage your own apps.  The page says they are for VS2005 but they are good for VS2008 as well.
• NMock.  I know there are plenty of mocking frameworks out there each with their own style.  I just happen to like NMock.

What is out?

• The notable exclusion from my 2008 dev environment is NUnit.  I have been a fan and user of NUnit for some time, but am going with the MSTest-based unit testing framework that is built in to Visual Studio 2008.
• NAnt is on thin ice in my environment too in favour of MSBuild.  This is largely for pragmatic reasons, there is project information kept in both the VS Solution and in the NAnt file and my preference is to maintain it in one spot only.

And that's it!  I like to keep it light.  For Continuous Integration I am using CruseControl.NET.

I'm still searching for the perfect XPath/XSLT environment.  Visual Studio is OK for the moment, but I have a feeling that the perfect tool may just be Eclipse based :)

One question I have strugled to answer clearly in past is What is the difference between Windows Sharepoint Services (WSS 3.0) and Microsoft Office Sharepoint Server?

The first difference is in the name, and is best highlighted in the words of Richard Campbel of DNR/Run-As fame:  When it is a service it is free, when it is server you have to pay for it.

The following diagram shows how I keep them apart in my mind:

To explain a bit: this is not a complete list of features, and not the most important features, just my favs

So if you have any features that you think are really important and didn't get a mention, leave me a comment!

Listening To: You're Living All Over Me, Dinosaur Jr.

The problem with IIS6 that I have been curious about but up until today never needed a solution for.

The problem I am talking about is that with the IIS 6.0 UI you cannot set a host header on a SSL port for a domain.  You can live a long and happy life with a 1-cert-per-server config but with the case of a wildcard cert (one covering all subdomains of the domain it was purchased for) you really want to be able to take advantage of these extra subdomains.

Consider an example from a server below.  The two sites that are highlighted belong to the same domain - Lets call the red one www.MySite.com and the blue one shop.MySite.com.  There is a wildcard cert installed on the machine for *.MySite.com.

The first one is easy.  Install the cert and assign it to the site.

Setting this on subsequent sites on the same box is where you get the problem.  It can be done, and it isn't hard, you just have to know the trick!

The trick is the adsutil.vbs script that is included when you install IIS.  The default path to find these scripts is: C:\Inetpub\AdminScripts.

The process for assigning a host header for SSL to all subsequent sitess is:

1. Don't assign a SSL port number to the second site.  Leave it on port 80 for now
2. Open a command window and change to the path with adsutil.vbs.
3. Run the following command:  cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"   In our example above the <site identifier> is replaced with the Id of the blue site, 1023406912, and the <host header> is replaced with shop.MySite.com
4. adsutil will assign port 443 to the site, you do not need to reset IIS

TechNet has a rundown of all the things you can do with adsutil.vbs and IIS6, so check it out.  But don't get too attached - the Metabase is not showing up for IIS 7!

Listening To: The Boatman's Call, Nick Cave and the Bad Seeds

I just saw these and thought they were worthy of linkage

Clinic 2806: Microsoft® Security Guidance Training for Developers.

Clinic 2807: Microsoft® Security Guidance Training for Developers II.

There is a good breadth of topics covered, and the price is right

OK I'm wheeling out the Sharepoint Annoyances category for one last random show - until next time (kinda like the Rolling Stones)

The problem comes when you remove WSS 3.0 from a box and the instance of Microsoft SQL Server 2005 Embedded Edition (SSEE) does not get removed. 

This is by design, however if the reason you are removing WSS 3.0 is because of a problem with the SSEE database you have a problem.

It turns out it is easy to uninstall after all - I found the answer via Jérémie Clabaut's blog.

The good news is it is a one liner to call msiexec.  Quoting Jérémie:

msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

As is documented elsewhere - don't forget to move away / delete any errant Mdf/Ldf files as they can interfere with the reinstall. 

Thanks Jérémie!

Listening To:  The Velvet Underground and Nico, The Velvet Underground

So I recently got my first Bluetooth phone.  The whole purpose of the phone was to keep my calendar on the road in sync with my shiny new notebook, and it worked out OK actually.

Being a nerd I was curious about the Bluetooth protocol and how it works, the following is an architectural overview of how the protocol is used to sync calendar and todo items:

Outlook: oh Hai, iz me
Phone: Hai
Outlook: haz new itemz?
Phone: ya
Outlook: o rly?
Phone: ya rly, Lulz
Outlook: Can has new itemz?
Phone: here iz itemz rite now, k
Outlook: I has new itemz2
Phone: Srsly?
Outlook: ya, here iz them
Phone: we kool? awsum. kthxbai

I got this message again this morning and I am so sick of it!

Only 16 chars?  O RLY?  What if my dog's name is more than 16 chars long?

Further investigation of the JS source reveals that other error messages include:

Password can only contain letters and numbers

I am always talking to people about password policy and no wonder people are confused.  So much good guidance out there is buried under so much rubbish.

Compare this to the other user experience that is becoming more common:

Much better!  There was a time when it would be appropriate to explain why the second case is better... but in this day and age it should be obvious.  It is all about coercing people to do good passwords until they are made obsolete in the future.

Since Version 1.0.60731.0 of the ASP.NET AJAX Control Toolkit there has been a quite good Password Strength control available to the ASP.NET platform.  Everyone else (like my first, deliberately anonymous example) can just Google it!  There are plenty of samples available.

One that I liked was at Gerd Riesselmann's blog, where he shares (GPL) a simple example suitable for learning how this is done.

What do you think?  Is there any excuse for giving poor password guidance in 2007?