Menu
To sign an assembly A you have to make sure all assemblies B, C, D that are used by A are signed, and then all assemblies that are used by B, C, D, and so on. I don't understand what's the security benefit of this. I think it's supposed to prevent tampering, but assembly A is allowed to open any file, and these can be tampered. The same goes for an external webserver.
Also, it's too easy to sign an assembly with a .snk file that you make public, sidestepping the requirement.
441
What makes a strong-named assembly? A strong named assembly is generated by using the private key that corresponds to the public key distributed with the assembly, and the assembly itself. The assembly includes the assembly manifest, which contains the names and hashes of all the files that make up the assembly.
Strong naming your assembly allows you to include your assembly into the Global Assembly Cache (GAC). Thus it allows you to share it among multiple applications. Strong naming guarantees a unique name for that assembly. Thus no one else can use the same assembly name.
To determine if an assembly is strong-typed, use the Strong Name Tool from Microsoft (http://msdn.microsoft.com/en-us/library/k5b5tt23(v=vs.71).aspx) by running the 'sn.exe -v <assembly>' command. You may need to download one of the Windows SDK packages to get access to this tool.
Signing an assembly ensures that the consumer knows its origin and uniquely identifies the component. It makes the physical DLL file tamper-proof. This tutorial will step you through signing an assembly with a strong name key (SNK) in .
The point is that otherwise you could replace assembly B/C/D with a different (hacked) one, and A would never notice; it would load them and execute the code. With strong naming, you can't do this without either re-signing the hacked B/C/D with the same key, or by hacking A.
106
Another reason for strong naming is versioning. If you reference a strong named assembly, you get that specific version - and it will load its dependencies at the specific versions it relies upon.
EDIT
Example scenario: If you put an assembly in the GAC, it has to be strong named to allow side-by-side versioning. You couldn't put it in the GAC, though, unless its dependencies were also there (otherwise, they'd fail to load at run time). In order for those assemblies to be loaded reliably, they need to be strong named too, and in the GAC.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
