2010-03-20

The service did not respond to the start or control request in a timely fashion.

So, I released a new version of one of my applications. This application is a Windows service. Nothing strange about this version so I rolled it out. Suddenly, a lot of users where complaining about that the service did not start.

One strange thing was that when changing the user that runs the service from SYSTEM (which is my default) to a local administrator it worked.

I tried to create similar environments but could not reproduce the problems. I got desktop access on one of the users server and saw, while running ProcessExplorer that a lot of queries were done to CryptoAPI dll’s before it finally gave up and timed out. This led me to think of that it was some deeper security problem.

I recently started signing my service with GlobalSign instead of Thawte so maybe it was something about that. I ran into this KB: http://support.microsoft.com/kb/936707

So, I added the following lines to the config and it started to work when running as SYSTEM:

<configuration>
    <runtime>
        <generatePublisherEvidence enabled="false"/>
    </runtime>
</configuration>

I don’t know if the problem is specific to GlobalSign. Implementation error or that root certificates are missing. Or that my previous signing certificate was cached in some way. If you know – then please let me know. Right now, I am just satisified that this solution works.

2010-03-10

ClickOnce and obfuscation with .NET Reactor

 

The above could have been easy and straightforward if there weren’t for, what I call, design errors in the building and publish process.

My first thought was that I could just add a post-build event, calling a command line protecting the applications/dll’s then just copy them back to the output folder. I was thinking that the “Publish” feature would use this output folder.

That weren’t the case unfortunately.

The Publish feature seems to store the built exe’s in memory or in a temporary location. Then it will overwrite anything in the output folder. So, your recently protected items will be overwritten. Then, after this, all signing and publishing magic will occur.

As my original approach did not work I had to do this manually:

1. I need to publish first (which builds).
2. Then protect the files
3. Copy the protected files over the build version folder
4. Update the application.manifest file (so that new hashes are createad for each file)
5. Re-sign the manifest file
6. Update the ApplicationName.Application file so it hashes the new manifest file
7. Re-sign the *.Application file

To work with the files we use the manifest tool mage.exe. I am not sure if the version for Visual Studio 2008 has all functionality so I downloaded the RC for VS2010. I run all commands to the VS2010 command prompt.

We don’t want to create new manifest files as that would reset other stuff you may enter within the Publish designer (and may not exist as option in mage.exe).

Here is a rough script how I did it:

REM http://msdn.microsoft.com/en-us/library/ms165431.aspx
REM http://msdn.microsoft.com/en-us/library/acz3y3te%28VS.100%29.aspx
REM msbuild /target:publish /property:BootstrapperEnabled=true

REM Protect files
"C:\Program Files (x86)\Eziriz\.NET Reactor\dotNET_Reactor.exe" -project c:\sourcefiles\Reactor\AnyConnect.nrproj

REM Copy protected files
copy C:\sourcefiles\code\AnyConnect\bin\Release\protected\*.dll "C:\sourcefiles\code\AnyConnect\bin\Release\app.publish\Application Files\AnyConnect_1_2_0_0\"
copy C:\sourcefiles\code\AnyConnect\bin\Release\protected\*.exe "C:\sourcefiles\code\AnyConnect\bin\Release\app.publish\Application Files\AnyConnect_1_2_0_0\"

REM update hash files and sign
cd "C:\sourcefiles\code\AnyConnect\bin\Release\app.publish\Application Files\AnyConnect_1_2_0_0\"
mage -Update AnyConnect.exe.manifest
mage -Sign AnyConnect.exe.manifest -CertFile c:\sourcefiles\sign\netcart.pfx -Password myPassword

REM update application file
cd "C:\sourcefiles\code\AnyConnect\bin\Release\app.publish\
mage -Update AnyConnect.application -AppManifest "Application Files\AnyConnect_1_2_0_0\AnyConnect.exe.manifest"
mage -Sign AnyConnect.application -CertFile c:\sourcefiles\sign\netcart.pfx -Password myPassword

You can improve this a lot so you don’t have to update version number and maybe even build the project but right now this works for me.

Remember when uploading the project to upload both the version folder and the *.application file.