I'm using LLBLGen Pro 2.0.0.0 Final with adaptor and .NET 2.0/c# connecting to a SQL Server 2005 dB.

I'm in the process of preparing my application and installer in order to submit it for Vista Certification and one of the requirements is that all application files must be digitally signed.

I was wondering whether there are signed versions of the following DLLs available?

SD.LLBLGen.Pro.DQE.SqlServer.NET20.dll SD.LLBLGen.Pro.ORMSupportClasses.NET20.dll

If not, I can apply for a waiver as these are third party files.

Thanks, Chris

With 'digitally signed' you mean signed with a certificate from Microsoft? No these aren't available. I also think that's unnecessary considering the fact that they're already signed, namely with our strong key. We don't have a certificate from MS to sign code for 'vista', which is another signing process.

Is MS requiring this from you?

What's meant with a 'waiver' ?

Hi Otis and thanks for your swift response (as always).

The "digital signing" for Vista Certification requires files (for example .cab, .msi, .exe, .dll, .ocx) to be signed with a digital certificate file (we have a personal information exchange file with a .pvk suffix) that you have to purchase from a certificate provider such as Verisign. Packages like InstallShield include the ability to digitally sign your files or you can do this manually using MS's SignTool.exe

Once this is done and you look at the Properties of your file you'll see an additional "Digital Signatures" tab that includes your company name, an email address and timestamp.

When I first looked at this I also thought that they meant signing assemblies with a strong name key file.

If you use third party files, like the LLBL Gen Pro DLLs, that aren't digitally signed then you have the option to fill out a "waiver" document (a disclaimer) that explains that the files aren't authored by yourself.

Understood . Though I think we're not going to sign our dll's with such a certificate. For one, we don't have one (we generate our own for our own https sites) and getting one will take time and money (I don't know how much, but it's not free).

So if we could opt for that waiver option, I'd like to do so . If you really want to have these dll's digitally signed, please recompile the sourcecode and sign those dlls with your certificate.

AFAIK these are the cheapest: http://www.instantssl.com/code-signing/

I find that pretty expensive for not really any value, besides a certificate which allows us to sign the dlls (which brings nothing to the table) in a cumbersome process.

I understand the point behind signing code and that it will make the world in theory a better place. However in practise... I find it money thrown away, simply because the whole singing business is actually pretty useless: the user doesn't care, s/he simply wants the program.

For one, it guarantees that the code is authentic and it hasn't been tampered. If I install an application I usually feel better if I see that it has been signed by somebody and the signature is valid. Perhaps the user doesn't care, but he/she should care - there is always a risk of installing tampered apps and the worst consequences are there. OTOH I agree that it is expensive. Heck, $166/year for a pair of numbers isn't exactly cheap.

mihies wrote:

For one, it guarantees that the code is authentic and it hasn't been tampered. If I install an application I usually feel better if I see that it has been signed by somebody and the signature is valid.

It's just another type of signature. Our dlls are signed already, just not with an expensive set of keys True, they're not verifyable with an authority.

One of the problems with strong key signature is the fact, that you see it only after setup is finished. IOW if there was offensive code in setup it will run with high privileges before you check the signature of an assembly. But even if assemblies are authentic, nobody guarantees that the setup.exe itself is benign. Furthermore we have to sponsor ca owners to fly into the space.

heh

The installer itself also has to be signed with a certificate btw.