Signing assemblies as non-admin

published: Mon, 22-Aug-2005   |   updated: Thu, 27-Oct-2005

The solution to this problem has just wasted the last 2 hours of my life, so I thought I'd post it here for everyone else and for future reference. If you are developing software in Visual Studio.NET 2003 as LUA (a least privilege, non-admin, user) then you'll find that you can't sign assemblies.

The error that comes up when you do so looks like this:

error CS1548: Cryptographic failure while signing assembly 'foo.dll' -- 'Access is denied. '

Although it seems that there are others, including 'Unknown error'.

I'd already added my user account to the "Debugger Users" and the "VS Developers" groups. No dice.

I then checked out the various individual privileges. No dice.

Some major searching on Google revealed not a lot of information, at least not for my particular case. I tried different search terms, all to no avail. This article on developing software as non-admin seemed to be completely relevant (yay!), but didn't address my particular problem (boo!).

Finally I found a snippet here that talked about a similar error.

Essentially, the solution is this: the signing functionality requires the user account to have extra privileges to this folder:

x:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

(where "x:" refers to the relevant drive.)

My testing indicated that the user account should have "Create Files", "Create Folders", "Write Attributes", "Write Extended Attributes", "Delete Subfolders and Files", and "Delete". This set may be overkill, but it allowed me to go forward without messing around too much.

That's all. I added the required privileges to my main user account and I can now sign assemblies.

(Just in case it's different with different IDEs, I emphasize I was using Visual Studio .NET 2003.)