Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Code sign .NET assemblies or just the setup?

Tags:

My company finally bought a code-signing certificate.

I have a WinForms application (1 exe and several dlls), all assemblies are already signed with a strong name. The entire application is then packaged into a msi installer. Then I use NSIS to pack the msi, the bootstrapper and the prerequisites (Framework, SQL CE...) into a single setup.exe.

Obviously my setup.exe needs to be signed, to avoid the "scary" UAC prompt. Is that enough or would you also sign the other files, especially the .NET assemblies?

Another project that belongs to the application is a Windows serivce. Would you sign that assembly?

like image 493
DanielR Avatar asked Jun 04 '09 14:06

DanielR


People also ask

How do I digitally sign a .NET assembly?

You sign an application or component by using the Signing tab of the project properties window (right-click the project node in Solution Explorer and select Properties). Select the Signing tab, then select the Sign the assembly check box.

How do you tell if .NET assembly is signed?

Open the properties sheet for the . dll from Windows Explorer. If a tab "Digital Signatures" is shown, it's a signed assembly. If the tab is missing, it's unsigned.

How do I sign assemblies in .NET core?

In Solution Explorer, open the shortcut menu for the project, and then choose Properties. Under the Build tab you'll find a Strong naming node. Select the Sign the assembly checkbox, which expands the options. Select the Browse button to choose a Strong name key file path.

How does assembly signing work?

Each strong-named assembly is digitally signed with a private key corresponding to its public key. This digital signature can be verified by using the public key that is stored in the manifest. You can also further sign an assembly with Authenticode on demand.


1 Answers

You don't have to but its not a bad idea.

Authoring a Fully Verified Signed Installation

You can use these guidelines to cover an entire Windows Installer installation by a digital signature.

Authors of Windows Installer installations must adhere to the following to ensure that all parts of the installation are covered by a digital signature:

  • Use internal cabinet files, or use signed external cabinet files and correctly author the MsiDigitalSignature table and MsiDigitalCertificate table.
  • Use only custom actions stored within the package or installed with the package.
  • Sign the installation package.
  • Include an MsiPatchCertificate table in the package. To enable User Account Control (UAC) Patching, this table must contain information used to identify the signer certificates used to digitally sign patches. UAC patching enables the author of the installation package to identify digitally-signed patches that can be applied in the future by non-administrator users.

The instructions above cover what you need to do for the installer itself. Signing the assemblies is up to you and is somewhat of a separate issue and has separate concerns and benefits. Please read Strong name assemblies can keep you out of DLL Hell for more information about signing assemblies.

like image 92
Andrew Hare Avatar answered Oct 02 '22 13:10

Andrew Hare