One of my colleagues is very keen on signing assemblies. He literally tries to sign anything. Even when we use assemblies from Microsoft that are not signed, he will take the source code, sign it and then ask other developers to use his copy instead.
I can understand the basic idea behind signing an assembly: to ensure a particular assembly is not compromised by some dodgy hacker. So if we are a software development company, we should sign our assembly before releasing some .NET library to our customers.
However, we primarily develop web applications for our own use here, and I just can't see the point of signing every single assembly we use.
Am I missing something here?
A very important reason to sign an assembly is so you can be sure it is your assembly. Since the private key is yours, nobody else can sign an assembly with that same key. This means that when the public key of an assembly is one you know (you can retrieve this using the GetType().
.NET. Signing an assembly ensures that the consumer knows its origin and uniquely identifies the component. It makes the physical DLL file tamper-proof. This tutorial will step you through signing an assembly with a strong name key (SNK) in .
To detect whether the assembly file is signed or not, right click on the file and click the 'Properties' from the context menu. If you see a 'Digital Signatures' tab in the properties window, that means, the file is signed by a digital signature (as shown below).
It is a recommended secure practice to sign all binaries that you ship and validate their signatures at runtime. If your dlls are to be used by other products then you must sign them as those products will want to verify their authenticity and integrity.
I've taken advantage of non-signed assemblies to get around issues before and in academic settings shown people why it's important. I replaced a DLL file that was unsigned (again in an academic setting) with one I made with the same name, same signatures, and used .NET Reflector to copy and paste the original code, but in mine I emailed user names and passwords that were being passed in before calling 'real' code.
If signed, you can make a signature match, but not replace. Contrary to what Zippy says, there will be a run-time compliation error.
Signing assemblies is never overkill. It takes 30 seconds. It's like saying locking your doors is overkill if you live in the country. If you want to gamble with your belongings, go ahead, leave it open. It only takes one security breach to get fired. It only takes 30 seconds to sign an assembly and there's no business case not to. The performance impacts is negligable.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With