The Building Coder

Trusted Signature Motivation and Fishing

Topics for today:

How Does Code Signing of Revit Add-Ins Increase Security?

I talked about the trusted add-in signature requirement introduced with the Revit 2017 API last week.

Neil Smithline, Revit Software Security Architect, added an in-depth explanation on why this requirement was introduced at all, answering a new question from Ken on the Revit API discussion forum thread on code signing of Revit addins:

Question: Can you help me understand how code signing of Revit add-ins improves security?

I create an add-in, I sign it with my cert, then I install my cert during install of the add-in.

I'm in control the whole way (other than the user had to run the installer with elevated permissions...)

I'm not sure I understand how this increases actual security, as opposed to affecting some perception of increased security.

But I am willing to learn.

Answer: Revit add-in code signing is intended to reduce the risk of you running malicious code within a Revit add-in. Before discussing it in specific, let's take a step back and look at the current state of technology.

In general, preventing malicious code, commonly called malware, from running on your computer is difficult. The quantity and ingenuity of malware attacks continues to climb. Malware is being used to target everything from hospitals to lightbulbs. It has been used to damage Iranian nuclear facilities, and recently has been thought to be used as a tool to influence the US presidential elections. The best security Revit, or any application, can provide is to not make the situation worse. So we need to look at what techniques Windows provides for keeping your computer secure.

Some of the most important mechanisms that Windows uses to combat malware are:

Due to the way that Revit add-ins are downloaded and installed, they bypass User Account Control, Mark of the Web, and Authenticode. That is, Revit add-ins open a hole in Windows' malware security. So Revit must add security to fix this security flaw. Creating and fixing such a weakness is common for apps with add-ins. For example, Chrome requires extensions to be signed, and a company that tries to epitomize openness, Firefox, just added mandatory add-on signing on August 2nd, 2016.

To fix this security hole, we've added code signing. Code signing in Revit, like Microsoft's Authenticode, is intended to give the user a timely security question and to provide you with the information you need to make an informed decision. This is very similar to what Windows' User Account Control and Authenticode systems provide.

As a user, when you are given an add-in signature dialog, you know that the add-in you are loading was written by the owner of the certificate, and that it hasn't been modified since it was signed. It is then up to you to determine if you trust that person or not.

While I would love to have a solution that automatically detected add-in safety and just did the right thing, this is the best that we, as an industry, know how to do. Is it perfect: no. But is it more secure than without signing: I think so.

Thank you very much, Meil, for this very clear overview and motivating clarification!

What happened to LoadCaseArray, How and Where to Search for Help on a Revit API Question?

While answering another Revit API discussion forum question by Emil on the LoadCaseArray class in Revit 2017, I also happened to produce an more general answer on how to search for help on any Revit API issue:

Question: We are in a process of migrating a project in VB.NET to use with Revit 2017. Previously, it worked with Revit 2016.

I get several errors of the type Type Autodesk.Revit.DB.Structure.LoadCaseArray is not defined, similarly for LoadCombinationArray, LoadUsageArray, and I can't locate any documentation on these arrays in the Revit 2017 API.

As far as I can see, they were not marked as obsolete; they were working OK within our 2016 project.

Answer: Well, you did not look carefully enough   :-)

I performed a simple Internet search for "Revit API LoadCaseArray".

One of the first hits is The Building Coder article on What's New in the Revit 2017 API.

Searching that for LoadCaseArray, you first see it listed in the section on Obsolete API removal.

It does not refer to the LoadCaseArray class, though, but the NewLoadCombination method that was previously using it.

Another hit is the old online Revit 2014 API documentation entry for LoadCaseArray.

That tells me that this is a collection class.

In the far distant past, the Revit API defined heaps of custom collection classes.

They have (almost) all been replaced by generic collections, i.e., something like List<LoadCase>.

You need to look for the updated signature of whatever method call you need to make.

What method is it?

NewLoadCombination?

What argument does it take?

I performed a new Internet search for "Revit API NewLoadCombination", which turns up The Building Coder article on What's New in the Revit 2016 API.

It includes this section:

Load cases and load combinations

The Revit API classes related to Load Cases and Load Combinations have been significantly renovated. This has introduced new members to the LoadCombnation, LoadCase, LoadNature and LoadUsage classes, and resulted in several previously existing member being marked deprecated and replaced, as shown in this table:

I hope this answers your question.

Well, maybe not quite.

The whole area of load combinations seems to have been cleaned up quite significantly in the past few releases.

One of the first places to look for working sample code and see how different classes, method calls and properties are used together to achieve certain tasks is the Revit SDK sample collection.

Always perform the following searches before asking anyone else for help:

  1. Revit API help file RevitAPI.chm, provided with the Revit SDK, available online at revitapidocs.com for classes, properties and methods.
  2. Developer Guide, provided with the online Revit Help, for background understanding.
  3. Revit SDK samples, provided in the Revit developer centre, to see how to solve specific tasks.

In this case, I see lots of results searching the Revit SDK samples for LoadCombination.

I much more hope that you are not only fed, but also in the process of being transformed into a competent fisherman   :-)

Good luck with your further searches.

Stone Age fish hook made from bone

Stone Age fish hook made from bone, from Nordisk Familjebok (1917)
Metkrok av ben från stenåldern, funnen i Skåne, public domain

Dynamo 1.1 Update

Finally, to close for today, let me just point out that Autodesk released the Dynamo 1.1 Update for Computational Design.

Have fun!