Trusted Publisher Store vs. NET Runtime Security

J

JGlowski

Re-Posting per conseirge:

I'm trying to find a definative answer concerning security requirements of
COM ADD-INs created using VSTO and VB.NET 2005 for Excel 2003 and 2007. I
have people in my organization that feel having signed all the dlls with my
Publisher's Cert. and having that certificate in the "Trusted Publishers
Store" should be enough to run the COM Add-IN in Excel (2003 and 2007). They
feel we should not have to give explicit permission to the Publisher in the
NET Framework Runtime Security if the Publisher is already in the Trusted
Publisher Store.

I can only get it working on a client PC by setting the Runtime Security.

Our CA is in Trusted Root Certificate Authorities and my Publisher's
Certificate is in the Trusted Publisher's Store. It's even visible from
Excel's Trusted Publishers list. However, the COM add-in only runs if I add
myself to the NET Framework Runtime Security.

I need something that clearly states that the Trusted Publisher Store can or
cannot be used and whether or not using the Runtime Security is the only way
to allow a VSTO/ VB.NET 2005 COM ADD_IN to run.
 
J

Jialiang Ge [MSFT]

Good morning, J. Welcome to Microsoft Newsgroup Support Service! My name is
Jialiang Ge (MSFT), and will help you with this issue.

From the post, you are wondering whether or not we need to set the .NET
runtime security for VSTO add-in when we've already code-signed the
assembly with the Publisher's certificate. My answer is: yes, we need it.

There are two concepts here: code-signing and .NET runtime permission.

A. Code Signing
http://msdn.microsoft.com/en-us/library/ms537361.aspx
Code signing is for trusting the Publisher. It applies to all applications
besides the .NET ones.

B. .NET runtime security
http://msdn.microsoft.com/en-us/library/zdc263t0(VS.80).aspx
.NET runtime security is for .NET stuff only.

For VSTO, Code signing is optional (though recommended), but .NET runtime
security setting is a must. Peter Torr's blog entry:
http://blogs.msdn.com/ptorr/archive/2003/11/03/56304.aspx
shows the background information, and the MSDN ariticle:
http://msdn.microsoft.com/en-us/library/x60sxwtw(VS.80).aspx
tells the best practice for security in VSTO solutions.

Let me know if you have any other questions or concerns.

Regards,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Jialiang Ge [MSFT]

Hello J,

I want to supplement my previous message in that I did not mention the
change of security model in VSTO 3.0

VSTO 2005 SE uses .NET Code Access Security as security model, the
certificates the assemblies might be signed with are not evaluated at
runtime.
But for Office 2007 solutions upgrade to VSTO 3.0 (VS 2008) and sign the
manifests. VSTO 3.0 uses ClickOnce security and therefore evaluates the
signatures (of the manifests, not the assemblies). VSTO 3.0 targeting
Office 2003 is still using CAS.
http://msdn.microsoft.com/en-us/library/bb821233.aspx

Let me know if you have any other concerns or questions.

Regards,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
 
J

Jialiang Ge [MSFT]

You are welcome, J.

By the way, I notice you said "Re-Posting" in your first message, then I
find your post "Com Add-Ins using Trusted Publisher for Security" in
2008-3-1:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=micros
oft.public.office.developer.com.add_ins&tid=f8d22468-0412-4f1d-82a2-b8df0f37
cd6b&cat=en_US_c23d73c6-0440-4014-9329-9c957076674c&lang=en&cr=US&sloc=&p=1

Microsoft Managed Newsgroup support system did not capture that post,
possibly because your Managed Newsgroup account did not go into effect at
the time. If you see such kind of problems again, please feel free to
contact my manager directly. My manager can be reached at
(e-mail address removed). We will take action to follow up immediately when we
receive your feedbacks.
For more information about how to use MSDN managed newsgroup, please refer
to our blog entry: http://blogs.msdn.com/msdnts/pages/postingAlias.aspx

Thank you for using our MSDN Managed Newsgroup Support Service!

Regards,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Publisher Cert. Store vs. Runtime Security 0
Adding Network Trusted Location on MS O365 Word per Computer Registry Setting 1
Com Add-Ins using Trusted Publisher for Security 2
Server Root as Trusted Location 1
VSTO add-in and Outlook 2003 3
VSTO Excel add-in only working in development machine 1
Windows 7 and digital signature 0
How to Determine if an Addin is Trusted 3

Top