简体   繁体   中英

VSTO Addin Code Signing | Security Question

I would like to use the best security coding practices in a VSTO Addin project I am implementing for Microsoft Outlook application and I have a question regarding code signing.

Following the creation of a code signing certificate ( .pfx ), I have successfully signed:

a) the DLL files produced by my project via using Visual Studio post-build event parameters .

b) the EXE & MSI installers using the SignTool command-line tool.

c) <"filename">.vsto and <"filename">.dll.manifest files

My question is that I used mage tool (Manifest Generation and Editing Tool) to sign the <"filename">.VSTO and <"filename">.dll.manifest files via the following commands - according to Microsoft:

 "C:\Program Files (x86)\....\mage.exe" -sign "<filename>.dll.manifest" -CertFile <certificate.pfx> -Password <password>
 "C:\Program Files (x86)\....\mage.exe" -update "<filename>.vsto" -appmanifest "<filename>.dll.manifest" --CertFile <certificate.pfx> -Password <password>

Verified that the relevant files have a "valid signature" after viewing the output of the following commands; apart from Visual Studio build output (reporting successful signing):

 "C:\Program Files (x86)\......\mage.exe" -ver "<filename>.vsto"
 "C:\Program Files (x86)\......\mage.exe" -ver "<filename>.dll.manifest"

However, when I check their properties via the windows explorer I do not see any " Digital Signatures " tab, not sure if this is the proper setting?

Am I missing something? Please let me know if there is anything I could additionally do to enhance the security posture of my VSTO Addin project.

Thank you.


You can see digital signature in Windows Explorer only for the executable (dll and exe) files.

VSTO is a text file (try to open it in Notepad).

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

粤ICP备18138465号  © 2020-2024 STACKOOM.COM