Menu
I'm trying to get a grasp of formal signing of .NET dlls/assemblies.
In particular
904
33
See Using Strong Name Signatures for a very good article on signing.
If we are talking strong naming of assemblies then signing should be used to prevent a third party from "spoofing" your code. The strong name is part of your assembly so another assembly with the same name and a different signature is a different assembly. This also prevents assemblies from being modified and re-signed (without the private key).
To be useful, the private key must be kept private. This is usually done through delayed signing and careful management of private key access.
You can also use Authenticode (to sign your strong named assemblies); this can add confidence about who the assembly is actually from.
82
Don't confuse strong name signing with Authenticode signature
As popularly described by Microsoft (I asked a book's author directly about that) strong name is a form of versioning only, not authentication. An assembly is stored in GAC also by strong name public key for reliability purporses (you publish a new version of a library, the previous doesn't get overwritten to prevent regression bugs in the old app).
I'm not 100% sure, but Mono's System assemblies match the Microsoft's public key. Not really a form of security.............
Authenticode signing, instead, is used to perform code authentication. You need a paid certficate from a trusted CA and sign your assemblies with signtool.exe or Visual Studio.
All that has been said here about security, sign servers, etc. applies here. But the point is that you didn't specify what kind of signature you want to put into code.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
