Signing


Utilities

SN - Strong Name
AL - Assembly Linker


Strong Names

Assigning an assembly a Strong Name ensures that an assembly is unique at the system level.
This is essential if you are deploying shared assemblies in the GAC as two publishers might create an assembly with the same name.
Therefore being able to distinguish between the different assemblies is essential.
A strong name can be thought of as a combination of the name, version number and a unique public key.
Private assemblies do not need to have Strong Names but including one is often a good idea.


Strong names allow you to grant full trust only to those assemblies created from a particular source or organisation.
The purpose of a strong name is to provide every assembly with a hard-to-forge name that clearly identifies its name, author and version.
When you load an assembly based on a strong name you are confident you are loading the code you want and not some alternative version.
Strong names work by using public-key crypotography
There is a delay signing process.


You can sign an assembly with a strong name using the Strong Name Tool - SN.exe
Signing authority or publisher certificate.


Creating a Strong Name

You can create a strong name in a two step process.
First run the Strong Name (SN) command line utility program to create an .snk file that contains a random-generated public and private key pair.

sn -k bettersolutionsSNkey.snk 

Once this file has been created keep it in a safe place (and keep copies of it if necessary).
This file should be used to sign all the assemblies produced by your company.
Second tell the compiler to burn this key into the assemblies when they are built.
The easiest way to do this is to include a AssemblyKeyFile attribute in the AssemblyInfo.vb file of the assembly.

Assembly: AssemblyKeyFile("C:\Personal\bettersolutionsSNKey.snk") 

This folder path should be the absolute folder path.


Including a Strong Name in all your assemblies ensures that the assemblies have not been tampered with in any way.



Publisher Certificates

Assemblies can also be signed with a publisher certificate also known as a code signing certificate.
Strong names do not have a very sophisticated system for managing keys
By contrast, publisher certificates were designed for exactly these scenarios.
You can obtain code-signing certificates from widely trusted certifying authorities such as Verisign or Thawte.
After you have a code signing certificate you can use the certmgr.exe utility to manage your certificates.
There is no GUI in Visual Studio to sign a document with a publisher certificate automatically.
Use signcode.exe in the Framework SDK directory to attach a publisher certificate to a customisation assembly.



PFX

A personal information exchange file is used to store private keys and certificates.
This is used for release signing.
You can right click on a pfx file and choose Install.
When it prompts for a password it wll not be shown on the screen.






© 2024 Better Solutions Limited. All Rights Reserved. © 2024 Better Solutions Limited TopPrevNext