Topics for today:
- How does code signing of Revit add-ins increase security?
- What happened to
LoadCaseArray, how and where to search for help on a Revit API question?
- Dynamo 1.1 Update
I talked about the trusted add-in signature requirement introduced with the Revit 2017 API last week.
Neil Smithline, Revit Software Security Architect, added an in-depth explanation on why this requirement was introduced at all, answering a new question from Ken on the Revit API discussion forum thread on code signing of Revit addins:
Question: Can you help me understand how code signing of Revit add-ins improves security?
I create an add-in, I sign it with my cert, then I install my cert during install of the add-in.
I'm in control the whole way (other than the user had to run the installer with elevated permissions...)
I'm not sure I understand how this increases actual security, as opposed to affecting some perception of increased security.
But I am willing to learn.
Answer: Revit add-in code signing is intended to reduce the risk of you running malicious code within a Revit add-in. Before discussing it in specific, let's take a step back and look at the current state of technology.
In general, preventing malicious code, commonly called malware, from running on your computer is difficult. The quantity and ingenuity of malware attacks continues to climb. Malware is being used to target everything from hospitals to lightbulbs. It has been used to damage Iranian nuclear facilities, and recently has been thought to be used as a tool to influence the US presidential elections. The best security Revit, or any application, can provide is to not make the situation worse. So we need to look at what techniques Windows provides for keeping your computer secure.
Some of the most important mechanisms that Windows uses to combat malware are:
- User Account Control – This generates the "Do you want to allow the following program to make changes to this computer?" popup you frequently get when installing applications.
- Mark of the Web – This generates a dialog when you try to run applications downloaded by your browser.
- Authenticode – Microsoft's trademarked term for code signing of executables.
Due to the way that Revit add-ins are downloaded and installed, they bypass User Account Control, Mark of the Web, and Authenticode. That is, Revit add-ins open a hole in Windows' malware security. So Revit must add security to fix this security flaw. Creating and fixing such a weakness is common for apps with add-ins. For example, Chrome requires extensions to be signed, and a company that tries to epitomize openness, Firefox, just added mandatory add-on signing on August 2nd, 2016.
To fix this security hole, we've added code signing. Code signing in Revit, like Microsoft's Authenticode, is intended to give the user a timely security question and to provide you with the information you need to make an informed decision. This is very similar to what Windows' User Account Control and Authenticode systems provide.
As a user, when you are given an add-in signature dialog, you know that the add-in you are loading was written by the owner of the certificate, and that it hasn't been modified since it was signed. It is then up to you to determine if you trust that person or not.
While I would love to have a solution that automatically detected add-in safety and just did the right thing, this is the best that we, as an industry, know how to do. Is it perfect: no. But is it more secure than without signing: I think so.
Thank you very much, Meil, for this very clear overview and motivating clarification!
While answering another Revit API discussion forum question by Emil
LoadCaseArray class in Revit 2017,
I also happened to produce an more general answer on how to search for help on any Revit API issue:
Question: We are in a process of migrating a project in VB.NET to use with Revit 2017. Previously, it worked with Revit 2016.
I get several errors of the type Type
Autodesk.Revit.DB.Structure.LoadCaseArray is not defined, similarly for
LoadUsageArray, and I can't locate any documentation on these arrays in the Revit 2017 API.
As far as I can see, they were not marked as obsolete; they were working OK within our 2016 project.
Answer: Well, you did not look carefully enough :-)
I performed a simple Internet search for "Revit API LoadCaseArray".
One of the first hits is The Building Coder article on What's New in the Revit 2017 API.
Searching that for
LoadCaseArray, you first see it listed in the section
on Obsolete API removal.
It does not refer to the
LoadCaseArray class, though, but the
NewLoadCombination method that was previously using it.
Another hit is the
old online Revit 2014 API documentation entry for
That tells me that this is a collection class.
In the far distant past, the Revit API defined heaps of custom collection classes.
They have (almost) all been replaced by generic collections, i.e., something like
You need to look for the updated signature of whatever method call you need to make.
What method is it?
What argument does it take?
I performed a new Internet search for "Revit API NewLoadCombination", which turns up The Building Coder article on What's New in the Revit 2016 API.
It includes this section:
The Revit API classes related to Load Cases and Load Combinations have been significantly renovated. This has introduced new members to the LoadCombnation, LoadCase, LoadNature and LoadUsage classes, and resulted in several previously existing member being marked deprecated and replaced, as shown in this table:
- Deprecated member → New/replacement member
- Document.NewLoadCombination() → LoadCombination.Create()
I hope this answers your question.
Well, maybe not quite.
The whole area of load combinations seems to have been cleaned up quite significantly in the past few releases.
One of the first places to look for working sample code and see how different classes, method calls and properties are used together to achieve certain tasks is the Revit SDK sample collection.
Always perform the following searches before asking anyone else for help:
- Revit API help file RevitAPI.chm, provided with the Revit SDK, available online at revitapidocs.com for classes, properties and methods.
- Developer Guide, provided with the online Revit Help, for background understanding.
- Revit SDK samples, provided in the Revit developer centre, to see how to solve specific tasks.
In this case, I see lots of results searching the Revit SDK samples for
I much more hope that you are not only fed, but also in the process of being transformed into a competent fisherman :-)
Good luck with your further searches.
Stone Age fish hook made from bone, from Nordisk Familjebok (1917)
Metkrok av ben från stenåldern, funnen i Skåne, public domain
Finally, to close for today, let me just point out that Autodesk released the Dynamo 1.1 Update for Computational Design.