Menu
Ok, I must be dumb cause I've already read this: http://www.csharp411.com/net-assembly-faq-part-3-strong-names-and-signing/
And I still don't get it...
Let's say I open my project's properties and go to the "Signing" tab, then I check "Sign the assembly" and generate a new assembly with a password. A strong name key file with the .pfx extension, with both the public and private keys, was created and VS will digital sign my assembly at compiling, right?
What about the private key? Shouldn't be private and me, the developer, be the only one to have it? Shouldn't the assembly be signed only with the public key?
Can anyone explain this to me? Basically, I want to sign my project's assembly and allow me users to check if the assembly was really developed by me where I'm the only to keep the private key (which I think I'm supposed to).
726
.NET. Signing an assembly ensures that the consumer knows its origin and uniquely identifies the component. It makes the physical DLL file tamper-proof. This tutorial will step you through signing an assembly with a strong name key (SNK) in . NET.
Each strong-named assembly is digitally signed with a private key corresponding to its public key. This digital signature can be verified by using the public key that is stored in the manifest. You can also further sign an assembly with Authenticode on demand.
To determine if an assembly is strong-typed, use the Strong Name Tool from Microsoft (http://msdn.microsoft.com/en-us/library/k5b5tt23(v=vs.71).aspx) by running the 'sn.exe -v <assembly>' command. You may need to download one of the Windows SDK packages to get access to this tool.
A strong name consists of the assembly's identity—its simple text name, version number, and culture information (if provided)—plus a public key and a digital signature. It is generated from an assembly file using the corresponding private key.
You are basically right.
You create a key-pair and use it for signing. But do not ship the pfx (or snk) file, it contains both public and private keys and should be kept safe.
The public key is added to the assembly as part of the signing process.
This signature is checked when an assembly is loaded into an application. End users can also check the public-key token in the GAC but that is not really a convenient process. And you have to tell them your public key token some way.
And the whole thing is only as reliable as your ability to keep the key file private.
Also note that ideally you should only have 1 key per company. If you worry about sharing it with (many) co-workers, investigate delay-signing.
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
