Setting full-trust to signed assemblies

You're probably all aware that assemblies should be signed before application deployment.  In fact, I'd go one further and say that assemblies should be signed during development.  Upon deployment, however, you may need to configure the user's machines such that assemblies signed by your development team run with full-trust.  (Especially true when using no-touch deployment.)

One way to do this is to configure the code access levels on a single machine (using the MMC snap-in) and export the settings to an MSI file.  You should be aware that this MSI will replace the installed security.config on the target machine, therefore configuration changes may be lost.  This is Microsoft's recommended way of pushing security updates around by configuring group policy to install the MSI.

This approach is less than useful if you're not using group policy, or if you want your assembly trust levels to be merged into the installed configuration.  (As is the case I'm facing here - we have an off-the-shelf app and we can't insist that the customer's follow these rules.)

If you want to script security updates, CASPOL (including with the .NET runtime) is the way to go.  This is a fairly cryptic command line utility.  In our case, we want to create a new code group as a child of the "All Code" group (which has an ID of "1"), that references the public key baked into a referenced assembly.  (In this case, the assembly is referenced off of a network share.)  I've also told CASPOL to ignore the name and version of the assemby - i.e. any assembly signed with my private key will apply here.  I've also said that it has FullTrust, i.e. it can do anything that it wants to do. 

caspol -machine -addgroup 1. -strong -file "\\myserver\myfolder\myasm.exe" -noname -noversion FullTrust -n MyName

If you want to script this, you need to turn off and then turn on prompting.  Do this with:

caspol -pp on
....
caspol -pp off