Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do I need to secure my strong name key file for an open-source project?

Tags:

c#

open-source

gac

assembly-signing

I'm creating a starter kit that installs the compiled assemblies from an open-source project into the GAC to make it easier to reference the assemblies in the template. Since they're going in the GAC, they need to be signed.

Do I need to password protect and secure the key file, or is it okay to leave it open and include the file in source control?

like image 888
Daniel Schaffer Avatar asked May 08 '09 13:05

Daniel Schaffer

People also ask

What is a strong name key file?

A strong name consists of the assembly's identity—its simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. It is generated from an assembly file using the corresponding private key.

What is the use of SNK file in Visual Studio?

Key pair files usually have an . snk extension. In Visual Studio, the C# and Visual Basic project property pages include a Signing tab that enables you to select existing key files or to generate new key files without using Sn.exe.

What is .SNK file?

Software key file created by Strong Name Tool (Sn.exe), a cryptographic program included with Microsoft's . NET framework; contains a public key and private key pair; used to digitally sign and authenticate an application.

1 Answers

Strong name signing has several purposes (though not for actual protection against tampering with the program, as is common misconception) - in your case the usage of a strong key for uniquely identifying (and verifying) a specific version of a specific assembly, which is required by the GAC. The other usage, which is preventing spoofing by other assemblies, doesn't seem necessary in this case (correct me if I'm wrong). For this reason, I would believe that it's perfectly acceptable to leave the key open (not password protected) and include the file in source control. As far as I can see, you're not going to stop anything you don't want by password protecting the key. (However, if you could provide more detail on the security context, I might have to revise that view.)

Also, see this MSDN article for a great thorough discussion of how to properly use strong name signing in general.

like image 124
Noldorin Avatar answered Sep 23 '22 03:09

Noldorin
Sign in to Comment

Related questions

Exception from HRESULT: 0x8002000B (DISP_E_BADINDEX) for System.Runtime.InteropServices.COMException
What is the difference between Web deploy and FTP deploy in Visual Studio?
HttpContent boundary double quotes
In-App purchase trouble on Windows 10 UWP
Exit Code When Unhandled Exception Terminates Execution?
Do Webjobs automatically renew leases on Azure Queue messages?
Getting DefaultNetworkCredentials to pass through to WCF Service
Compiling .net core app with CoreRT / another AOT
Control lifetime of .NET Core console application hosted in docker
How to bind a DataGridView to a SQLite Database?
Handling bad CSV records in CsvHelper
System.Drawing Out of Memory Exception On Main() Method - C#
aspnet core jwt token as get param
Multitenant Identity Server 4
How to mock rows in a Excel VSTO plugin?
What should `ReadAsAsync<string>` and `ReadAsStringAsync` be used for?
How to use Rijndael algorithm with 256 long block size in dotnet core 2.1
How to fix "IDX20804: Unable to retrieve document from: '[PII is hidden]'" error in C#
What constitutes 'redundant delegate creation'?
Populate WinForms TreeView from DataTable

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!