Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

snk vs. code signing certificate

Tags:

In my organization we use snk files with strong names assemblies. We generate the snk ourselves.

In addition we use a code signing signature on the binaries. We get the pfx from Verisign.

  • What is the difference between these two processes?
  • Isn't it a problem that the snk is not recevied from Verisign also?
like image 710
Yaron Naveh Avatar asked Aug 22 '10 15:08

Yaron Naveh


People also ask

What does a code signing certificate do?

Code Signing Certificates are used by software developers to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party.

What is strong name signature?

A strong name signature is an identity mechanism in the . NET Framework for identifying assemblies. It is a public-key digital signature that is typically used to verify the integrity of data being passed from an originator (signer) to a recipient (verifier).


1 Answers

The snk and pfx are used for two different purposes. The snk is used for strong-naming, which uses a key pair to uniquely identify an assembly. The pfx is for code signing, which is a similar process but one that is intended to prevent malicious tampering with assemblies that are distributed publicly. Using both on an assembly both strong-names AND signs it.

It's OK to generate your own SNK file as long as you keep the private key secure. The PFX file you get from Verisign allows you to sign the assembly using a key secured by a third party. This is an additional layer of security that lets users of your assembly know that it has not been tampered with.

like image 148
Dave Swersky Avatar answered Oct 01 '22 14:10

Dave Swersky