From Version 2 of SN tool, there is support for creating strong name key files protected with a private key (that is a .pfx file). Though this is a great improvement over the old .snk file, it is a pain during the development. While opening or debugging the signed projects a dialog box opens that reads “Import Key File”, “This project includes a password-encrypted key used for signing. Enter the password for the key file to import the key file into the local crypto-store database for use.” Even if you enter the correct password, the error persists and says “Error importing key”, “Object already exists”. On building you get the following message error MSB3321: Importing key file “<keyname>.pfx” was canceled.
I faced this issue in VS 2008 on my Windows 7 machine and had to get rid of this error somehow. Accidentally I came to know that if UAC is turned off, the error vanishes. On researching (googling :)) I could find that this is a permission (UAC) related open bug in Visual Studio from VS 2005 through VS 2010 (not verified) and the one and only solution for the time being seems to be Delay Signing. By delay signing your assembly you can get rid of the nag window in Visual Studio and by signing the assembly with your key file before distribution you could achieve the security you want. This though comes with a catch. If you set the project for delay signing, you cannot debug your application as the verification of the strong name fails. To override this verification, you have to add your key file to the list of keys skipped for verification in your machine.
I could not find the steps for delay signing and verification skipping online easily. So I am just recompiling the steps for future reference 🙂
- Open a Visual Studio command prompt.
- Run the command sn -p <original-key>.pfx <public-key-file>.pk (Export the public key from your .pfx file using the SN tool.)
- In the Project Properties Page, Select Signing Tab, Set the key file in Visual Studio to <public-key-file>.pk and check the Delay Sign only option.
- To skip the strong name verification, you have two options. Configure the skipping of a particular assembly. sn – Vr <assembly name>
- Or Enable skipping for all the assemblies signed with the same key. Personally I preferred this method as there were 4 or 5 assemblies signed with the same .pfx file. To achieve this,
- First Run sn -T <assembly-name>. This gives us the public key token for the assembly.For example the output will be something like Public key token is bd91f093f07f35ac.
- Now Run sn -Vr *,<public-key-token>. For example sn -Vr *,bd91f093f07f35ac in my case.
- Or Enable skipping for all the assemblies signed with the same key. Personally I preferred this method as there were 4 or 5 assemblies signed with the same .pfx file. To achieve this,
- When you finally want to ship your assembly Run sn -Rc <assembly-name> <original-key>.pfx
For this to work on 64bit, you need to do these extra steps:
- Open a command prompt as Administrator
- Go to C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\x64\
- Run the same.. sn -Vr *,<public-key-token>
This is to add theverification skip to the 64 bit registry as well.