Community

Digitally signing an Inventor Addin

Digitally signing an Inventor Addin

dhaverstick
Advocate Advocate
3,802 Views
14 Replies
Message 1 of 15

Digitally signing an Inventor Addin

dhaverstick
Advocate
Advocate
‎08-05-2016 12:55 PM

I see that addin security measures have been changed for Inventor 2017 and I was hoping I could get someone to hold my hand and go through the process of digitally signing an addin. Actually, I know how to sign the addin. What I really need help with is creating a security certificate that can be applied at the network domain level or machine level.

 

I want to be able to install an addin on a computer such that anyone who uses that computer can start up Inventor without being accosted by the Addin Manager nag screen. I also want to write a batch file so that the security certificate is registered on that machine when the addin is installed and it is registered in such a way that it will apply for anyone using that addin on that computer.

 

Thanks in advance for your help!

 

Darren

0 Likes
Like
Report
Accepted solutions (1)
Solution 1
3,803 Views
14 Replies
Replies (14)
Message 2 of 15

ekinsb
Alumni
Alumni
‎08-08-2016 08:12 AM

Unfortunately, digitally signing isn't that easy.  If it was it wouldn't really mean anything because then anyone could sign anything in any way they want.  To digitally sign something you first have to purchase a digital certificate from one of the companies that provides them.  Below is a list of companies and the costs from a search I did a while ago.  When you apply for a certificate, they do some verification that you're a real company and provide the key that you can then use to sign your software.  The signature proves that the software came from you and hasn't been modified since it was signed.  My guess is that you'll want to put up with the warning.  As with all security software, it becomes another problem for the honest in an attempt to try and protect everyone from a few dishonest people.

 

Symantec

                1 year - $499

                2 years - $873 ($436.50/year)

                3 years - $1248 ($416/year)

 

GoDaddy

                1 year - $200

                2 years - $360 ($180/year)

                3 years - $510 ($170/year)

 

Digicert

                1 year - $223

                2 years - $396 ($198/year)

                3 years - $534 ($178/year)

               

Instant SSL

                1 year - $179

                2 years - $340 ($170/year)

                3 years - $501 ($167/year)

               

kSoftware

                1 year - $95

                2 years - $175 ($87.50/year)

                3 years - $245 ($81.66/year)

                5 years - $365 ($73/year)


Brian Ekins
Inventor and Fusion 360 API Expert
Mod the Machine blog
Report
Message 3 of 15

dhaverstick
Advocate
Advocate
in reply to ekinsb
‎08-08-2016 12:49 PM
Accepted solution

I figured out how to do it.

 

1) I created a self-signed certificate using MakeCert.exe. Since the Inventor add-ins are only used internally, this was good enough.

2) I imported that certificate into my company's domain-wide group policy and made it effective for all authorized domain users. This was the part that I was having trouble with.

3) Signed my Inventor add-ins with the certificate.

4) When the signed add-ins are installed, the Addin Manager allows them without the nag screen popping up.

 

Darren

Report
Message 4 of 15

gilsdorf_e
Collaborator
Collaborator
in reply to dhaverstick
‎08-25-2017 05:20 AM

Hello,

 

did that change in Inventor 2018? I signed my addins with a certificate from our companies root CA, still they are blocked by default and the pop-up screen comes up.

 

 

Reading the 2018 help file:

 

"Add-Ins that are signed by Autodesk or registered as an integral part of Autodesk products are automatically allowed to load"

 

So signing custom addins gives no benefit, except you get that soothing text inside add-in manager "File is signed and has valid certificates." Still all of our >100 users have to unblock our custom addins.

I have to find a way through registry/GPO...

0 Likes
Like
Report
Message 5 of 15

basnederveen
Advocate
Advocate
in reply to gilsdorf_e
‎02-28-2018 04:11 AM

I have exactly the same problem, any news/discoveries since this post? (Also IV 2018!)

0 Likes
Like
Report
Message 6 of 15

gilsdorf_e
Collaborator
Collaborator
in reply to basnederveen
‎02-28-2018 04:13 AM

Hi,

yes I solved this. If you use an installation image to roll out Inventor, you can declare trusted authorities, that did the trick for me.

 

Regards

Erik

 

 Edit: Here you go

http://help.autodesk.com/view/INVNTOR/2018/ENU/?guid=GUID-84B221D3-979B-420D-B955-9DCBDC0C5619

0 Likes
Like
Report
Message 7 of 15

basnederveen
Advocate
Advocate
in reply to gilsdorf_e
‎02-28-2018 05:12 AM

Thank you! 

 

This would mean I would have to 'reinstall' inventor on every workstation though right?

0 Likes
Like
Report
Message 8 of 15

gilsdorf_e
Collaborator
Collaborator
in reply to basnederveen
‎02-28-2018 05:18 AM

No, you could exchange the AddinLoadRules.xml on all clients, don't you?

%INSTALLDIR%\Preferences\AddInLoadRules.xml

0 Likes
Like
Report
Message 9 of 15

basnederveen
Advocate
Advocate
in reply to gilsdorf_e
‎02-28-2018 06:45 AM

Alright thanks again.

 

Tried to add the addins ID to the list of trusted ID's, this doesn't work. Still have to manually unblock the addin, so i will first try getting the addin certified, the MakeCert.exe program is not available anymore so Ill have to find another way

0 Likes
Like
Report
Message 10 of 15

gilsdorf_e
Collaborator
Collaborator
in reply to basnederveen
‎02-28-2018 06:56 AM

You are welcome. I use signtool in my postbuild process in Visual Studio, but you can that from the command line also.

 

"%PROGRAMFILES(x86)%\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /n "Your Certificate Author Name" /t http://timestamp.verisign.com/scripts/timstamp.dll "$(TargetDir)$(TargetFileName)"

 

https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx

Report
Message 11 of 15

Anonymous
Not applicable
in reply to gilsdorf_e
‎02-20-2019 03:44 AM

Hi 

i followed this process but it not working. I have edited and copy to same location 

here is my *.XML file 

<?xml version="1.0" encoding="utf-16" standalone="no" ?>
<AddInLoadRules>
<Id Policy="Allow">
{ae651297-eb54-4a8d-8236-1af611c9c4af}
<!InventorAddIn4>
</Id>
</AddInLoadRules>

 

I am using Inventor 2019. please Help

0 Likes
Like
Report
Message 12 of 15

Anonymous
Not applicable
in reply to dhaverstick
‎02-20-2019 03:46 AM

Hi 

Can you Guide me to do that (I am new to software Industry ) you can mail me at akashdas.das02@gmail.com

0 Likes
Like
Report
Message 13 of 15

basnederveen
Advocate
Advocate
in reply to Anonymous
‎02-20-2019 03:58 AM

For me it worked to add the created certificates to the trusted publishers / trusted root certificates inside the computer. I had the IT department do this on every computer in the company. You can use a .bat for this.

0 Likes
Like
Report
Message 14 of 15

Maxim-CADman77
Advisor
Advisor
‎05-07-2025 12:45 PM

I wonder is it OK for Addin to have "Self-signed" Publisher?

MaximCADman77_1-1746647023430.png


I believe Publisher should be some meaningful in order to unlock it with adding <Publisher Policy="Allow">.. in AddInLoadRules.xml, right?

 

 

Please vote for Inventor-Idea Text Search within Option Names

0 Likes
Like
Report
Message 15 of 15

gilsdorf_e
Collaborator
Collaborator
‎05-08-2025 01:16 AM

I do not see a problem in self-signed certificates. Of course you need a valid certification authority in your company and this root certificate needs to be on all clients via group policy.

Report
Report a website issue