What does it mean to sign an assembly? And why is it done?
What is the simplest way to sign it? What is the .snk file for?
A very important reason to sign an assembly is so you can be sure it is your assembly. Since the private key is yours, nobody else can sign an assembly with that same key. This means that when the public key of an assembly is one you know (you can retrieve this using the GetType(). Assembly.
To detect whether the assembly file is signed or not, right click on the file and click the 'Properties' from the context menu. If you see a 'Digital Signatures' tab in the properties window, that means, the file is signed by a digital signature (as shown below).
A strong named assembly is generated by using the private key that corresponds to the public key distributed with the assembly, and the assembly itself. The assembly includes the assembly manifest, which contains the names and hashes of all the files that make up the assembly.
Delayed signing refers to a technique of partially signing assemblies while they are in the development phase. So, signing an assembly basically certifies that assembly by the manufacturer and prevents tampering and hi-jacking of that assembly.
The other two answers are fine, but one additional point. It is easy to get confused between "certificate" signing and "strong name" signing.
The purpose of strong name signing is as Stefan Steinegger says: to allow your customer to establish that the code they THINK they're loading really is precisely the code that they ARE loading. That is ALL strong names are for. Specifically, strong names do not establish any kind of trust relationship between your customer and you. If the customer decides that they trust code that comes from you, it is up to THEM to figure out exactly what the correct strong name is for your code. The "key management" problem is not in any way solved; the customer has the burden of figuring out how to know what key to trust.
Certificate signing, that is, signing with a certificate you get from Verisign or some other certifying authority, has a much more complex purpose. The purpose of certificate signing is to establish an authenticated chain of trust and identity from the certifying authority down to the organization which signed the code. Your customer might not trust you, your customer might not have even heard of you, but your customer can say "if Verisign vouches for the identity of the author of this code, then I will trust them". The key management problem is reduced for the customer because the certifying authority has taken on that burden for them.
To sign an assembly is to give the assembly a strong name.
First, let's make an important distinction. One way to categorize assemblies in .NET is as follows:
Why? Having a strong name guarantees that your assembly is unique and that nobody can steal the GUID (as in COM) to create a different object with the same name. In other words, you are ensuring that when you load a signed assembly, you are loading exactly what you think you are loading. Eric Lippert offered a great answer to this particular question here.
This is not the same as saying that a signed assembly can be trusted. For that, an assembly can include Authenticode, a digital signature to provide information about the assembly developer/company.
The following is the short version of the MSDN step-by-step:
Create a strong key using SN.EXE
sn -k C:\mykey.snk
From Visual Studio, on your project Properties page, go to the Signing tab, and check on "Sign the assembly" to pick the file just created
Rebuild your project, and voila. Your assembly is now signed. You can see this in the CSPROJ file of your project:
<PropertyGroup> <SignAssembly>true</SignAssembly> </PropertyGroup> <PropertyGroup> <AssemblyOriginatorKeyFile>mykey.snk</AssemblyOriginatorKeyFile> </PropertyGroup>
The SNK is the 'Strong Name Key' file.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With