Questions on signing assemblies

[Vivien Parlat]

Hello,

I have a project :
- one main exe files
- some .net dlls used by the exe
- some native non-com dll used by other dll's.

I want to sign those files so that the program detects any external
modifications. I read on MSDN and elsewhere that I would have to sign
all .net dll (if I want, and I do want), but no the main exe because
it couldn't use any other un-signed dll.
I also read that a signed binary could only use signed binaries.
Finally, I found out that there are ways to exclude some controls
using sn.exe, but this only concerned signed binaries...

I know I don't want to check native dll's. My questions are:
1- how can I achieve this ? Can I still use strong name tool ?
2- can i then use sn.exe on main exe file ?
3- do i have to generate one snk file used to sign all binaries, or
one snk per binary ?

Thanks in advance for any answer

 

[Alvin Bruney [ASP.NET MVP]]

VS 200x makes signing simply from the properties menu. Check the signing box
and you are done. When you deploy, remember to deploy the key - VS creates
one for you automatically. The restrictions you read about still apply.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99

 

[Vivien Parlat]

VS 200x makes signing simply from the properties menu. Check the signing box
and you are done. When you deploy, remember to deploy the key - VS creates
one for you automatically. The restrictions you read about still apply.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively onwww.lulu.com/owc$19.99
-------------------------------------------------------

Hello,

I have a project :
- one main exe files
- some .net dlls used by the exe
- some native non-com dll used by other dll's.

I want to sign those files so that the program detects any external
modifications. I read on MSDN and elsewhere that I would have to sign
all .net dll (if I want, and I do want), but no the main exe because
it couldn't use any other un-signed dll.
I also read that a signed binary could only use signed binaries.
Finally, I found out that there are ways to exclude some controls
using sn.exe, but this only concerned signed binaries...

I know I don't want to check native dll's. My questions are:
1- how can I achieve this ? Can I still use strong name tool ?
2- can i then use sn.exe on main exe file ?
3- do i have to generate one snk file used to sign all binaries, or
one snk per binary ?

Thanks in advance for any answer

Hello Alvin,

I saw the way to sign a file from VS2008 in some places, but excluding
some files appeared to be the privilege of command-line tool. Just to
be sure, are you telling me there is no way to sign assemblies since
they use native files or use other assemblies which use native files ?
This looks strange, as much applications use legacy c++ (old) code or
dll... If I misunderstood, how can it be achieved, given those
rules... ?

Regards

 

[Mythran]

VS 200x makes signing simply from the properties menu. Check the signing
box
and you are done. When you deploy, remember to deploy the key - VS
creates
one for you automatically. The restrictions you read about still apply.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively onwww.lulu.com/owc$19.99
-------------------------------------------------------

Hello,

I have a project :
- one main exe files
- some .net dlls used by the exe
- some native non-com dll used by other dll's.

I want to sign those files so that the program detects any external
modifications. I read on MSDN and elsewhere that I would have to sign
all .net dll (if I want, and I do want), but no the main exe because
it couldn't use any other un-signed dll.
I also read that a signed binary could only use signed binaries.
Finally, I found out that there are ways to exclude some controls
using sn.exe, but this only concerned signed binaries...

I know I don't want to check native dll's. My questions are:
1- how can I achieve this ? Can I still use strong name tool ?
2- can i then use sn.exe on main exe file ?
3- do i have to generate one snk file used to sign all binaries, or
one snk per binary ?

Thanks in advance for any answer

Hello Alvin,

I saw the way to sign a file from VS2008 in some places, but excluding
some files appeared to be the privilege of command-line tool. Just to
be sure, are you telling me there is no way to sign assemblies since
they use native files or use other assemblies which use native files ?
This looks strange, as much applications use legacy c++ (old) code or
dll... If I misunderstood, how can it be achieved, given those
rules... ?

Regards

Well, the purpose of an SNK is to identify that the assembly was created by
you or your company. What we have done is created a single key (snk) and
use this key to sign all of our assemblies. This ensures that a single key
is used to identify US as the creator...we only need to keep track of this
single key, which is easier than one per assembly. With a single key, you
can also delay signing of the assembly so you can debug and such w/o signing
every time and w/o the developers needing to have access to the key
(preventing them from taking the key home and creating their own assemblies
signed with your key). When delay signing, a person who is responsible for
signing production-ready assemblies may receive a delay-signed assembly,
sign it, and then publish the signed, release version assembly which is
ready for use by the rest of the world (or customer, or whatever).

To create an SNK file:

sn -k MyCompany.snk

To sign an assembly (in .Net Framework v1.1, haven't done it with later
versions...yet):
In AssemblyInfo.vb:
<AssemblyKeyFile("pathtoMyCompany.snk")>
or what we use since we install the key into the CSP:
<AssemblyKeyName("MyCompany")>

Now, every build of the assembly is signed...(this is NOT using the
delay-signing ability)...

We sign all of our assemblies, even the application exe's...the only
exception to this is when we really need our applications to reference
non-signed assemblies, then we remove the signing for just the application.
Our other assemblies usually require referencing assemblies to be signed,
via class attributes, but we remove this requirement when removing the
signing of the application.

HTH,
Mythran