CREATE ASSEMBLY for assembly is not trusted : SQL 2019

Question

CREATE ASSEMBLY for assembly is not trusted : SQL 2019

Hi .
I am using SQL Server 2019. I am trying yo add an assembly in SQL. The code works fine in SQL 2016, but errors out in 2019 with the below error :

"CREATE ASSEMBLY for assembly 'ABC.MSSQL' failed because assembly 'ABC.MSSQL' is not trusted. The assembly is trusted when either of the following is true: the assembly is signed with a certificate or an asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission, or the assembly is trusted using sp_add_trusted_assembly."

How to fix this ?

Answer 1

Dan Guzman 7,121

CLR strict security is on by default in SQL 2017 and later versions. The proper approach is to follow the recommendations detailed in the error message you received so that the assembly can be created. Your other option is to disable the CLR strict security option but that is not recommended per the documentation.

Padmanabhan, Venkatesh 241 Reputation points

2020-12-24T11:18:41.913+00:00

Hi.
Below is my current code. Could you please let me know, what needs to be changed

GRANT EXTERNAL ACCESS ASSEMBLY TO [Test Systems];
Erland Sommarskog 72,251 Reputation points MVP

2020-12-24T11:25:08.527+00:00
If the error message is to be believed, you need to add

GRANT UNSAFE ASSEMBLY TO [Test Systems];
Padmanabhan, Venkatesh 241 Reputation points

2020-12-24T11:27:50.377+00:00

HI.
Thanks. Should this be added in the first SQL or second ?
Erland Sommarskog 72,251 Reputation points MVP

2020-12-24T11:33:24.71+00:00

I like to point that while you can get answers in a forum, you are in no way prohibited to think for yourself. Where do you think the command fits in? And moreover, did you try it?
Padmanabhan, Venkatesh 241 Reputation points

2020-12-24T11:36:57.943+00:00

Apologies. Thanks , I will try and provide the feedback

Answer 2

Hi @Padmanabhan, Venkatesh ,

Are there any updates to this issue?
And based on my research, before an Assembly can be created, you first need to:

Sign the Assembly with a strong-name key or a certificate
Create an Asymmetric Key or Certificate in master from whatever you signed the Assembly with
Create a Login based on that Asymmetric Key or Certificate
Grant that Login the UNSAFE ASSEMBLY permission

And You don't need to grant both UNSAFE ASSEMBLY and EXTERNAL ACCESS ASSEMBLY permissions to the signature-based login. The UNSAFE ASSEMBLY permission assumes the EXTERNAL ACCESS ASSEMBLY permission such that you can set assemblies to either PERMISSION_SET if you have the UNSAFE ASSEMBLY permission.
For more details, please refer to this thread and this article which might help.

Best Regards,
Amelia

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

CREATE ASSEMBLY for assembly is not trusted : SQL 2019

2 answers

Activity