Menu
Every now and then I see a sample project on the network which contains a .snk file used for signing the compilation results with a strong name.
AFAIK this is plain wrong - once a .snk file is disclosed anyone can produce an assembly that can be used to replace an assembly shipped by the original code supplier but now containing malicious code. I suppose that people shipping .snk files don't treat that risk seriously and just ship the file because otherwise the project wouldn't compile off-the-shelf.
Is there any reason for shipping the .snk file except that "convenience"?
341
Software key file created by Strong Name Tool (Sn.exe), a cryptographic program included with Microsoft's . NET framework; contains a public key and private key pair; used to digitally sign and authenticate an application.
Key pair files usually have an . snk extension. In Visual Studio, the C# and Visual Basic project property pages include a Signing tab that enables you to select existing key files or to generate new key files without using Sn.exe.
A very valid question. I for my part do not ship the SNK file but do provide instructions how to produce one yourself and make the required changes (to enable InternalsVisibleTo for instance).
I think that the current practice has been pushed my Microsoft with the changes in the SNK handling starting with VS2005. Using a key container requires a manual edit of the CSPROJ file with an undocumented MSBUILD item KeyContainerName... the default of VS is to copy the SNK into the project directory, which is convenient but wrong IMHO.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
