So as I have been developing increasingly more Revit plug-ins these days, I finally came to realization that the stupid security warning about Untrusted Publisher that Revit shows on startup really annoys me.
This has long been discussed before by Jeremy Tammik and Harry Mattison on their respective blogs, so I won’t go into specifics of why we have to sign our plug-ins. What I will go into at length is, one of the possible methods/companies that you can obtain your code signing certificate from and how to install it. Harry talked about basic setup in this post: BoostYourBim and Jeremy Tammik chimed in on why one needs to sign their plug-ins over at Autodesk Forum. Please give it a try. Now, let’s get to it.
!!!— I, by no means endorse KSoftware or Comodo in this post. They are just one of the many companies that offer this service, so feel free to make your own choice. I did make mine based on the fact that Harry used them, and it worked for him so I just went with that. —!!!
!!!—This is important. KSoftware/Comodo issue your certificate using the internet browser (exactly the keygen functionality). It is critical to the whole process that you place the order, using a compatible browser. Chrome is not. Neither is Edge. Basically make sure you are using Firefox or Internet Explorer for every step of the way. —!!!
- First you need to place an order with KSoftware. They will ask you to verify your company. One of the many ways that you can do that is to sign up with yet another company (which I am not endorsing either) by the name of Dun & Bradstreet. Now, they will require you to submit paperwork that proves that you are who you are and that you own the company etc. etc. To obtain the DUN’s number you will just have to register your company with them, and wait for like 2 weeks. They will try to sell you stuff, so beware of that. You can just decline and wait for them to issue the free number.
- Once you get that out of the way, you will get an email that says that your certificate has been issued, and you need to collect it. It will look like this:
- Again, make sure that you are using the same compatible browser as when you were placing the order or this can possibly fail. Otherwise just follow their link and you should get a message asking if you want to install your certificate. If you were to use the wrong browser (let’s say latest Chrome), it would instead just download a certificate file. That’s not what you want. You want it installed, so that when you go to Internet Options>Content>Certificates it will show like this:
- Now that you have your certificate installed you can export it. You basically want to export it to a PFX file that is encrypted with a password, so that you can store it safely on your computer and use it to sign your DLLs. Here are the steps to get it exported. Please follow these and you will get a PFX file. Export steps.
- Now that we have the certificate exported, we can use a signtool.exe that ships with Visual Studio to sign your DLLs after they are being compiled. The way to do that is to add a Post Build Event to your assembly. You can do it by right clicking on the project in your Solution browser and navigating to Properties:
- Then under Post Build Events you can add a line of code that asks the signtool.exe to sign your plug-in using the PFX file you previously exported. It looks like this:
- The actual code is this:
Now, this will not take away the Revit warning on the first try. However this time it will show it with your credentials, and you can choose to launch your plug-in. It should take it away on every subsequent Revit opening event. Also, when adding your sign command to the Post Build Event, please remember to sign your code first before moving your DLL somewhere else. I usually use copy commands there as well to copy my DLLs to appropriate Revit folders, so just make sure they are signed before they are moved.
This should do the trick. Let me know if you have any questions, and huge thanks to Harry Mattison and Jeremy Tammik for their initial posts. They were great at getting me through this process.
Ps. From reading comments on Boost Your Bim post, it seems like on some machines you might have to open Internet Explorer before launching Revit. I am not sure why that would be, but I am just putting it here if someone runs into trouble.
Autodesk have a two-tier system. If you develop directly for the RevitAPi you need to sign the assemblies.
If you create zero touch nodes for Dynamo you don’t. Even though you can access the RevitAPI and import any namespace you like.
I look at the average price of an Exchange app and the number of positive comments for such an app and I wonder how the publishers break even. Given all these costs Autodesk insist on. Out of principle I’m not going to pay for someone to investigate and prove I am who I am.
The fact one CA charges a small amount and another charges a large amount just points to the likely inconsistency in their vetting process. One is investigating what you eat for breakfast and the other is just subletting their certificate.
Well, you can also get a free certificate for Open Source projects etc. I don’t think that Autodesk’s aim here is to truly vet people that post plug-ins to their Exchange App, but rather to put a small little obstacle in a way that would discourage malicious activities. After all, something as simple as Captcha can stop people from posting spam (yeah I know it’s goal is to mainly stop bots from posting spam but either way you get my point). Also, you don’t have to buy these certificates. It’s not a mandatory requirement. You can still publish and share Revit plug-ins without it, except that your users will be annoyed by the warnings. That’s it.
I’m not sure what the restrictions are on the Exchange App Store. However if you write an install shield package then you get to choose if certificates are installed on the local PC trusted root. As the install shield can be made to require elevated privileges. So there is no real security in the certificates system for those intent on doing harm.
Thanks for the reply.
Seems like the wrong quotes can cripple the signing. I have been struggling through this for longer than I would care to admit. lol https://stackoverflow.com/questions/42938690/signtool-returns-the-filename-directory-name-or-volume-label-error
Yeah, no kidding. I was dying there before some good person pointed it out to me.