2

We do have a build server, which contains our private key, used to sign the delay-signed assemblies, in a key container. We are now creating another build server and no one seems to know, where the original key file is, so we're trying to export the key from the original server and import into the new one.

To do the export, we are using this:

RSACryptoServiceProvider key;
CspParameters cp = new CspParameters();
cp.KeyContainerName = "nameOfOurContainer";
cp.Flags = CspProviderFlags.UseMachineKeyStore;
key = new RSACryptoServiceProvider(cp);
var blob = key.ExportCspBlob(true);
using (var fs = new FileStream(filePath,  FileMode.CreateNew))
{
    fs.Write(blob, 0, blob.Length);
}

to import - this

CspParameters cp = new CspParameters();
cp.KeyContainerName = containerName;
cp.Flags = CspProviderFlags.UseMachineKeyStore;
cp.KeyNumber = (int)KeyNumber.Signature;

RSACryptoServiceProvider key = new RSACryptoServiceProvider(cp);

using (var fs = new FileStream(filePath, FileMode.Open))
{
    var blob = new byte[fs.Length];
    fs.Read(blob,0,(int)fs.Length);
    key.ImportCspBlob(blob);
    key.PersistKeyInCsp = true;             
}

The keys are being exported and imported successfully, but the signing on the new server is not working - we're getting 

Key pair does not match public key from assembly

So, I suspect, that either our import, or export process is wrong. Ideas?

poupou
  • 43,413
  • 6
  • 77
  • 174
Hassan
  • 2,603
  • 2
  • 19
  • 18

2 Answers2

1

You can export key containers with the below command line:

aspnet_regiis -px "SameplKeys" keys.xml -pri

This exports the key container SampleKeys to the keys.xml file. The -pri option includes private key information.

Elmo
  • 6,409
  • 16
  • 72
  • 140
djnz
  • 109
  • 1
  • 14
0

One of the issues with RSACryptoServiceProvider is that it will generate a keypair if none exists. It makes it harder to know if you're reading an existing key (or using something entirely new).

I don't recall exactly how the strongnames key were stored (it's been a while) wrt CryptoAPI. However I don't believe them to be in the machine store (not by default anyway) so

cp.Flags = CspProviderFlags.UseMachineKeyStore;

should not be used (in the export, nor the import).

I don't recall the key slot (e.g. KeyNumber.Signature) but it should be identical in both your export and import code (try both :-).

If that does not work try to detect if the export or the import is the issue. Use the sn options to see if the exported public key (-tp) match the one used on the assemblies (-Tp).

You can also have a look at Mono source code for its sn tool. It does support the options but I don't recall if they were fully compatible with MS version (wrt key containers) and things might have changes a bit since FX 1.x ;-)

poupou
  • 43,413
  • 6
  • 77
  • 174
  • Well, tried playing arround with the flags property for the export - it was generating different keys for each setting. Consistent, but different. And none of them was the right one. Will continue investigation tommorow. – Hassan Sep 08 '11 at 13:41