question

Efstratios-7291 avatar image
0 Votes"
Efstratios-7291 asked Efstratios-7291 published

VSTO Addin Code Signing | Security Question

Hello,

I would like to use the best security coding practices in a VSTO Addin project I am implementing for Microsoft Outlook application and I have a question regarding code signing.

Following the creation of a code signing certificate (.pfx), I have successfully signed:

a) the DLL files produced by my project via using Visual Studio post-build event parameters.

b) the EXE & MSI installers using the SignTool command-line tool.

c) <"filename">.vsto and <"filename">.dll.manifest files

My question is that I used mage tool (Manifest Generation and Editing Tool) to sign the <"filename">.VSTO and <"filename">.dll.manifest files via the following commands - according to Microsoft:

  "C:\Program Files (x86)\......\mage.exe" -sign "<filename>.dll.manifest" -CertFile <certificate.pfx> -Password <password>
  "C:\Program Files (x86)\......\mage.exe" -update "<filename>.vsto" -appmanifest "<filename>.dll.manifest" --CertFile <certificate.pfx> -Password <password>

Verified that the relevant files have a "valid signature" after viewing the output of the following commands; apart from Visual Studio build output (reporting successful signing):

  "C:\Program Files (x86)\......\mage.exe" -ver "<filename>.vsto"
  "C:\Program Files (x86)\......\mage.exe" -ver "<filename>.dll.manifest"

However, when I check their properties via the windows explorer I do not see any "Digital Signatures" tab, not sure if this is the proper setting?

Am I missing something? Please let me know if there is anything I could additionally do to enhance the security posture of my VSTO Addin project.

Thank you.

References:

office-addins-devoffice-vsto-com-devdotnet-aspnet-core-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers