I have many assemblies on SQL server 2008, that i don't have their dll, so when i'm trying to create those assemblies on SQL 2017 an error occors, "Msg 10343, Level 14, State 1, Line 106
CREATE or ALTER ASSEMBLY for assembly 'SqlRegularExpression' with the SAFE or EXTERNAL_ACCESS option failed because the 'clr strict security' option of sp_configure is set to 1. Microsoft recommends that you sign the assembly with a certificate or asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission. Alternatively, you can trust the assembly using sp_add_trusted_assembly." reading about possible solutions i have found that we can use the following options:
1- Disable CLR Strict Security feature (not recommended by microsoft)
2- Enable Database Trustworthy feature (not recommended )
3- Sign CLR Assembly with Asymmetric Key (recommended but the source is required and we haven't it)
4- Sign CLR Assembly with Certificate Key (recommended but dll is required and not exists)
*So Any expert can help us to sign assemblies stored in database? *
Hello. Fortunately, solving this is fairly easy. All you need to do is the following steps:
If an unsigned Assembly needs to be loaded into SQL Server:
-
TEMPORARILY enable
TRUSTWORTHY
for the Database where you are loading the Assembly (usingALTER DATABASE
) - Create the Assembly (using
CREATE ASSEMBLY
; this step requires that the Login for the Database Owner has theUNSAFE ASSEMBLY
permission, which it will already have if the DB is owned bysa
or anothersysadmin
) - Disable
TRUSTWORTHY
for this Database
Assuming that one or more unsigned Assemblies already exist:
- Create a Certificate in the Database where the Assembly resides (using
CREATE CERTIFICATE
) - Sign the Assembly (or Assemblies) with the Certificate (using
ADD SIGNATURE
) - Copy Certificate (Public Key only!) to
[master]
(usingCERTENCODED()
,CERT_ID()
, andCREATE CERTIFICATE
) - Create Login from Certificate (using
CREATE LOGIN
) - Grant that Login the
UNSAFE ASSEMBLY
permission (usingGRANT
)
For example:
USE [{database_containing_unsigned_safe_assembly}];
CREATE CERTIFICATE [{certificate_name}]
ENCRYPTION BY PASSWORD = '{some password}'
WITH SUBJECT = '{simple description}',
EXPIRY_DATE = '2099-12-31';
ADD SIGNATURE
TO ASSEMBLY::[{assembly_name}]
BY CERTIFICATE [{certificate_name}]
WITH PASSWORD = '{some password}';
DECLARE @PublicKey VARBINARY(MAX),
@SQL NVARCHAR(MAX);
SET @PublicKey = CERTENCODED(CERT_ID(N'{certificate_name}'));
SET @SQL = N'
CREATE CERTIFICATE [{certificate_name}]
FROM BINARY = ' + CONVERT(NVARCHAR(MAX), @PublicKey, 1) + N';';
PRINT @SQL; -- DEBUG
EXEC [master].[sys].[sp_executesql] @SQL;
EXEC [master].[sys].[sp_executesql] N'
CREATE LOGIN [{login_name}]
FROM CERTIFICATE [{certificate_name}];
GRANT UNSAFE ASSEMBLY TO [{login_name}]; -- REQUIRED!!!!
';
A full explanation of the above steps can be found in the following post of mine:
SQLCLR vs. SQL Server 2017, Part 4: “Trusted Assemblies” – The Disappointment ( sqlquantumleap.com/2017/08/28/sqlclr-vs-sql-server-2017-part-4-trusted-assemblies-the-disappointment ). In fact, I have a demo script on PasteBin that does all 8 of the steps noted above: pastebin.com/mwi5BidL
And, since you are using SQLCLR to get Regular Expression (RegEx) functions, I should mention that the quickest and easiest way to get quite a few RegEx functions is to get SQL# ( SQLsharp.com ), a SQLCLR library (that I wrote) with over 300 functions. All of the assemblies are signed, TRUSTWORTHY
is not enabled, and clr strict security
is not disabled.
Take care,
Solomon...
SqlQuantumLift.com
SqlQuantumLeap.com
SQLsharp.com