More specifically, a class library assembly. My initial thoughts:
Sure, you could just not sign the assembly. But if another project that requires their assembly to be signed references your library, you get a compile error.
Create and sign an assembly with a strong name by using Visual Studio. In Solution Explorer, open the shortcut menu for the project, and then choose Properties. Under the Build tab you'll find a Strong naming node. Select the Sign the assembly checkbox, which expands the options.
A very important reason to sign an assembly is so you can be sure it is your assembly. Since the private key is yours, nobody else can sign an assembly with that same key. This means that when the public key of an assembly is one you know (you can retrieve this using the GetType().
Your public key is stored in the manifest. The manifest file is digitally signed with your private key, and this signature is stored in a nonhashed segment of the assembly. You develop some code that references some other class of another strong-named assembly.
To detect whether the assembly file is signed or not, right click on the file and click the 'Properties' from the context menu. If you see a 'Digital Signatures' tab in the properties window, that means, the file is signed by a digital signature (as shown below).
I've recently encountered the same problem in an open-source project that I maintain. Here is how I addressed this issue:
So in your case, whoever is preparing the release should own the key. There is no need for the library developers to know about it at all.
If end-users want to recompile and sign with their own keys, that's fine. You can distinguish between the binaries of yours and others by comparing the public key that is present in the signed assemblies. Make the public key available and others can do the same.
Managing this process gets a bit cumbersome when the InternalsVisibleToAttribute
is used to refer to strong-named assemblies. You can read about how I addressed that problem here.
I for one would not mind if more projects that you are probably going to just use as a refrence instead of edit and re-compile would offer a "signed" version of the dll. That would help in trusting a refrence to an existing .dll quicker than checking the code and compiling your own.
In a lot of open-source project there is kind of a "Parent" of the effort, think Linus or even John Gruber for examples. These people could hold the key or distribute one to a trusted admin for signing major releases.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With