.Net application publisher certificate checking

Alex Mags

2014-06-09

Have a server app (NetApp SnapDrive 7) which installs a .Net service. The service fails to start and the MSI package rolls back. It fails to start because it’s doing publisher cert checking and the servers don’t have internet access via proxy. The workaround offered was to edit the app .config file and add Described in this article: http://msdn.microsoft.com/en-us/library/bb629393(v=vs.110).aspx

And: http://msdn.microsoft.com/en-us/library/system.security.permissions.publisheridentitypermission(v=vs.110).aspx

Found this cert check can be turned off per machine in machine.config files

The following powershell finds all the .net runtimes and turns off publisher cert checking. Make this a dependency of your NetApp SnapDrive 7 package. Update: CMS has munged up the syntax somewhat but it’ll give you and idea of what you can do if you experience this…

# Enumerate .Net framework runtimes and disable publisher cert checking
#http://blog.oneboredadmin.com/2014/01/disabling-generate-publisher-evidence.html
#http://blog.oneboredadmin.com/2010/12/stsadm-new-spsite-is-slow.html
#http://msdn.microsoft.com/en-us/library/bb629393(v=vs.110).aspx
``````
function Modify-Config(\[string\]$filename,\[string\]$backupDir="~"){
``````
 Write-host "Loading XML $filename"
 $doc = new-object xml
 $doc.load($filename)
 Write-host 'Locating parent node (/configuration/runtime)'
 $parent = $doc.SelectSingleNode('/configuration/runtime')
 if(!$parent){Write-Error 'Non-default xml. Stopping'}
 else{
  Write-host 'Locating child node (generatePublisherEvidence)'
  $child = $parent.generatePublisherEvidence
  if(!$child){Write-host 'Creating child node';  $child = $doc.CreateElement('generatePublisherEvidence') ;   $parent.AppendChild($child)  }

  Write-host 'Checking attribute "enabled"'
  if($child.enabled -ne $false){
   if(!$child.enabled){
    Write-host 'Creating node "enabled"'
    $att = $doc.CreateAttribute('enabled')
    $child.Attributes.Append($att)
   }

   Write-host 'Setting "enabled" to "false"'
   $child.enabled = "false"

   Write-host 'Saving file'
   $doc.save($filename)
  }
 }
}

('Framework','Framework64') | %{"$env:windir\\Microsoft.NET\\$\_"} | ?{test-path $\_} | %{ls $\_ -fi 'v\*' | ?{$\_.mode -like 'd\*'}} | select -exp fullname | %{"$\_\\CONFIG\\machine.config"} | ?{test-path $\_} | %{Modify-Config $\_}