VSTO Addin Code Signing | Security Question
Hello,
I would like to use the best security coding practices in a VSTO
Addin project I am implementing for Microsoft Outlook
application and I have a question regarding code signing.
Following the creation of a code signing certificate (.pfx), I have successfully signed:
a) the DLL files produced by my project via using Visual Studio post-build event parameters.
b) the EXE & MSI installers using the SignTool
command-line tool.
c) <"filename">.vsto and <"filename">.dll.manifest files
My question is that I used mage
tool (Manifest Generation and Editing Tool) to sign the <"filename">.VSTO and <"filename">.dll.manifest files via the following commands - according to Microsoft:
"C:\Program Files (x86)\......\mage.exe" -sign "<filename>.dll.manifest" -CertFile <certificate.pfx> -Password <password>
"C:\Program Files (x86)\......\mage.exe" -update "<filename>.vsto" -appmanifest "<filename>.dll.manifest" --CertFile <certificate.pfx> -Password <password>
Verified that the relevant files have a "valid signature" after viewing the output of the following commands; apart from Visual Studio build output (reporting successful signing):
"C:\Program Files (x86)\......\mage.exe" -ver "<filename>.vsto"
"C:\Program Files (x86)\......\mage.exe" -ver "<filename>.dll.manifest"
However, when I check their properties via the windows explorer I do not see any "Digital Signatures" tab, not sure if this is the proper setting?
Am I missing something? Please let me know if there is anything I could additionally do to enhance the security posture of my VSTO
Addin project.
Thank you.
References:
- https://github.com/MicrosoftDocs/visualstudio-docs/blob/master/docs/deployment/how-to-re-sign-application-and-deployment-manifests.md
- https://learn.microsoft.com/en-us/dotnet/framework/tools/mage-exe-manifest-generation-and-editing-tool
- https://stackoverflow.com/questions/10834663/pre-and-post-build-event-parameters