Archive for September, 2010

Bypassing the Authenticode Signature Check on Startup


Authenticode verification will hurt startup time. I recently experienced this on a customer project. The initial startup time to show some parts of the UI took way to long first time accessing them. The WPF application is accessed through Citrix which also affects the startup performance for assemblies that needs to be verified.

Authenticode-signed assemblies need to be verified with the CA.  This verification can be time intensive, as it can require hitting the network several times to download up to date certificate revocation lists, and also to ensure that there is a full chain of valid certificates on the way to a trusted root.  This can, as in our case, end up in several seconds delay while that assembly is being loaded. Worst case for us was almost 30 sec for some client setups.

To get rid of this issue you can either install the CA certificate on the client machine or avoid using Authenticode when possible. We know that our application doesn’t need the Publisher evidence so we can do the following.

In .NET Framework 3.5 there is a configuration option that allows bypassing the Authenticode verification.  This can be done by adding adding the following lines to the .exe.config file:

              <generatePublisherEvidence enabled="false"/>

More information is available here as well as on this blog.

KB936707 discuss how you can also enable this in .NET Framework 2.0

%d bloggers like this: