Mono's Security Tools - README
Last updated: January 20, 2005

* General notes

- This directory contains clones for .NET security tools;
- All tools are 100% managed code with no dependency to the Mono's runtime,
  except permview (which wouldn't be possible in managed code in Fx 1.0/1.1).
- A much as possible the same command line arguments as the original are used;
- Documentation (man) is available for most tools;
- Authenticode(r) support is MINIMAL - there are still many missing
  validations.


* Authenticode tutorial

1.    Getting a test certificate

The tool makecert.exe can create test certificates. The test certificates are
only trusted by Mono's security tools (i.e. the resulting signature won't be
valid on Windows [1]). For "real" certificates you must deal with (and pay) a
trusted commercial CA (or you can have your own CA inside your entreprise).

The command:
mono makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer

will create both a PVK file (containing your private key) and a CER file
(containing the X.509 certificate). This step will take some time because the
tools must generate your own keypair (in this case a 1024 bits RSA keypair).

example:
mono makecert.exe -n "CN=Sebastien Pouliot" -sv spouliot.pvk spouliot.cer


2.    Getting a SPC file

The certificate file (.cer) must be converted into a SPC (software publisher
certificate) file before signing any assembly (or executable file).

The command:
mono cert2spc.exe yourcert.cer yourspc.spc

will create your SPC file from your X.509 certificates files.

example:
mono cert2spc.exe spouliot.cer spouliot.spc


3.    Signing an assembly

You need both your PVK (private key) and SPC files to sign an assembly (or
any PE file). You may also include a countersignature in your assembly using
a timestamp server (so the signature can still be verified after your
certificate is expired).

The command:
mono signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t
http://timestamp.verisign.com/scripts/timstamp.dll yourassembly.exe

will sign the specified PE file using your private key and embed your
certificate and a timestamp. Note: there are no "e" in timstamp.dll !

example:
mono signcode.exe -v spouliot.pvk -spc spouliot.spc -t
http://timestamp.verisign.com/scripts/timstamp.dll small.exe


4.    Checking an assembly

Anyone can now validate the assembly signature using the chktrust tool.

The command:
mono chktrust.exe yourassembly.exe

will verify the integrity of the specified PE file. Any change to the file
will invalidate it's signature.

example:
mono chktrust.exe small.exe



[1] FOR TEST PURPOSE ONLY ON WINDOWS

As stated you can "activate" the Mono's test certificate by doing the
following steps.

a.	Generate the Mono's root certificate
	mono makecert.exe -r mono.cer
b.	Double-click on the mono.cer file
c.	Click on the "Install certificate..." button
d.	Read everything then, if you still want to, answer YES to add the test
	certificate in your TRUSTED root certificates.

Be warned that by doing so YOU ARE TRUSTING THIS TEST CERTIFICATE on your
system. This is bad for several reason, foremost that EVERYONE has access to
it's private key! Please remove the test certificate AS SOON as you have
finished testing using it.

--------------------
sebastien@ximian.com