1 Mono's Security Tools - README
2 Last updated: January 20, 2005
6 - This directory contains clones for .NET security tools;
7 - All tools are 100% managed code with no dependency to the Mono's runtime,
8 except permview (which wouldn't be possible in managed code in Fx 1.0/1.1).
9 - A much as possible the same command line arguments as the original are used;
10 - Documentation (man) is available for most tools;
11 - Authenticode(r) support is MINIMAL - there are still many missing
15 * Authenticode tutorial
17 1. Getting a test certificate
19 The tool makecert.exe can create test certificates. The test certificates are
20 only trusted by Mono's security tools (i.e. the resulting signature won't be
21 valid on Windows [1]). For "real" certificates you must deal with (and pay) a
22 trusted commercial CA (or you can have your own CA inside your entreprise).
25 mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
27 will create both a PVK file (containing your private key) and a CER file
28 (containing the X.509 certificate). This step will take some time because the
29 tools must generate your own keypair (in this case a 1024 bits RSA keypair).
32 mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer
37 The certificate file (.cer) must be converted into a SPC (software publisher
38 certificate) file before signing any assembly (or executable file).
41 mono cert2spc.exe yourcert.cer yourspc.spc
43 will create your SPC file from your X.509 certificates files.
46 mono cert2spc.exe spouliot.cer spouliot.spc
49 3. Signing an assembly
51 You need both your PVK (private key) and SPC files to sign an assembly (or
52 any PE file). You may also include a countersignature in your assembly using
53 a timestamp server (so the signature can still be verified after your
54 certificate is expired).
57 mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t
58 http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe
60 will sign the specified PE file using your private key and embed your
61 certificate and a timestamp. Note: there are no "e" in timstamp.dll !
64 mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t
65 http://timestamp.verisign.com/scripts/timstamp.dll small.exe
68 4. Checking an assembly
70 Anyone can now validate the assembly signature using the chktrust tool.
73 mono chktrust.exe yourassembly.exe
75 will verify the integrity of the specified PE file. Any change to the file
76 will invalidate it's signature.
79 mono chktrust.exe small.exe
83 [1] FOR TEST PURPOSE ONLY ON WINDOWS
85 As stated you can "activate" the Mono's test certificate by doing the
88 a. Generate the Mono's root certificate
89 mono makecert.exe -r mono.cer
90 b. Double-click on the mono.cer file
91 c. Click on the "Install certificate..." button
92 d. Read everything then, if you still want to, answer YES to add the test
93 certificate in your TRUSTED root certificates.
95 Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your
96 system. This is bad for several reason, foremost that EVERYONE has access to
97 it's private key! Please remove the test certificate AS SOON as you have
98 finished testing using it.