Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

.NET: Strong naming vs. Authenticode

Tags:

.net

security

assemblies

strongname

authenticode

Having read about strong names in .NET here, for example, I have the following question:

We have an Authenticode code signing certificate with which we sign all our EXE, DLL and MSI files. The benefit of that is that Windows knows the MSI comes from a trusted source, and also that the authenticity of each file can be verified if required.

We currently do not use .NET strong names. I have read that strong-naming a file essentially means that it is digitally signed with a self-signed certificate. My opinion on this is that an Authenticode certificate signed by a trusted certificate authority is much more valuable than a self-signed certificate whose authenticity nobody can verify anyway because they lack the root certificate (and we are not going to distribute that to end users, are we!?).

Question: Is there any value in additionally strong-naming assemblies if Authenticode signing is already used?

like image 279
Helge Klein Avatar asked Dec 17 '10 10:12

Helge Klein

People also ask

What is .NET strong naming?

Strong name consists of an Assemblys identity, that means the Assemblies can be assigned a cryptographic signature. The strong name guarantees the integrity of the assembly which prevents someone from taking over the name of the assembly.

What is strong name signature?

A strong name signature is an identity mechanism in the . NET Framework for identifying assemblies. It is a public-key digital signature that is typically used to verify the integrity of data being passed from an originator (signer) to a recipient (verifier).

How do you tell if an assembly is strongly named?

To determine if an assembly is strong-typed, use the Strong Name Tool from Microsoft (http://msdn.microsoft.com/en-us/library/k5b5tt23(v=vs.71).aspx) by running the 'sn.exe -v <assembly>' command. You may need to download one of the Windows SDK packages to get access to this tool.

1 Answers

The answer will depend upon why you have created a strong name - the intended use of strong name is to create a unique identity for the assembly. For example, if you need to push your assembly in GAC then strong name is must. However strong name is not really meant for verifying the authenticity of publisher - Authenticode serve that purpose. See this article: http://blogs.msdn.com/b/shawnfa/archive/2005/12/13/authenticode-and-assemblies.aspx

like image 136
VinayC Avatar answered Sep 21 '22 12:09

VinayC
Sign in to Comment

Related questions

Are Exceptions and return statements the only possible early exits in C#?
Use environment variable in NuGet config?
MVC - is it model to view or controller to view?
StackOverflowExceptions in nested async methods on unwinding of the stack
Tool for analyzing .Net app memory dumps
What is the market share for the various .Net framework versions?
Repercussions of enabling useLegacyV2RuntimeActivationPolicy?
Why doesn't Đ get flattened to D when Removing Accents/Diacritics
What is the java equivalent of AggregateException from .net?
how to avoid [Content_Types].xml in .net's ZipPackage class
Async CTP and "finally"
Connection_Abandoned_By_ReqQueue Problems
How to play a WPF Sound File resource
Is there a way to find the first string that matches a DateTime format string?
What is a good plotting library for .Net? [closed]
Is there a wildcard expansion option for .net apps?
Why does this code work without the unsafe keyword?
Why is some sql query much slower when used with SqlCommand?
How to prevent a Windows Forms TextBox from flickering on resize?
How to force WPF to use resource URIs that use assembly strong name? Argh!

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!