Comments on: .NET Assembly FAQ – Part 3 – Strong Names and Signing

By: Add strong name sign to third party dll in .Net « Coding Realities – stuff from out there

Tue, 13 Jul 2010 07:33:08 +0000

[...] solutions are signed with a strong name. (Don't know what strong name signing is? Follow this [...]

By: Adding a strong name to a third party dll « Coding Realities – stuff from out there

Tue, 13 Jul 2010 07:29:46 +0000

[...] solutions are signed with a strong name. (Don't know what strong name signing is? Follow this [...]

By: Mansoor Mehmood

Mansoor Mehmood — Tue, 16 Feb 2010 12:49:29 +0000

Thanks for this detailed article. I am not clear about the point you mentioned.

"Requires Exact Match. If you use strong names, your application or library must load the assembly with the exact strong name that you specify, including version and culture. Note that you can bypass this requirement with a publisher policy (to be discussed in a future article)."

I have added a signed dll (test.dll) with version 1.0.1.0 in my exe (test.exe). I built test.dll again with version 1.0.2.0 then I simply copy past the dll to test.exe program it still get executed can please help in this. What I believe or get understood by your above point is that it should not get executed.

Thanks

By: yaron

yaron — Mon, 08 Feb 2010 19:19:27 +0000

how can i use x509 certificate created from CA to strong name the code ?

By: Защищаем .NET программы.

Защищаем .NET программы. — Wed, 23 Sep 2009 16:25:30 +0000

[...] Сборки .NET можно подписать ключем, и позволять инклудинг только по публичному ключу. Но это никакая не защита, а простой выход убедится, что версия библиотеки правильная для конкретного приложения. Это также позволяет убедится в целостности приложения. Подробней на английском можно почитать здесь. [...]

By: Chris

Chris — Mon, 21 Sep 2009 18:22:36 +0000

You can store hash (ex. in MD5) of your public key and compare it with hashes from loading assemblies before application starts. To create MD5 hash of the public key of loading assembly you can use:
currentAssembly.GetName().GetPublicKey() and MD5 class.

Now you know if loading assembly contains your public key or not.

By: Serge

Serge — Fri, 12 Dec 2008 13:52:07 +0000

I have a question about Assembly Versions.
What I have to do in order to use in my application old assembly with new version number? Should I remove the reference and insert it again every time the version is changed? Is there another way?

By: timm

timm — Wed, 20 Aug 2008 21:55:48 +0000

Gnordstrom:

1. I don't know for sure, but I would say yes. You'll have to test it and let us know what you find.

2. No, once you lose your pfx password, there is no recovery. You will be forced to re-issue a new assembly signed with a new public-private key pair.

By: gnordstrom

gnordstrom — Wed, 20 Aug 2008 20:55:26 +0000

I have two questions about the pfx file that Visual Studio creates: 1. If the code for an assembly that I originally created and signed with a password protected pfx file, is recompiled by another developer on their machine with my pfx file does the dll contain the same strong name as the one compile on my machine? 2. If I forget the password for a pfx file is there any way to decrypt the pfx file to obtain the password?
Thanks!

By: timm

timm — Wed, 21 May 2008 20:39:40 +0000

There are two types of signing (it's unfortunate both use the same name). There's "signing" to give the assembly a strong assembly name, as described above, and there's "signing" to verify the application hasn't been tampered with. The former uses .snk files. The latter uses .pvk, .cer, and .pfx files.

* A public key (.cer file) is given by a Certificate Authority (trusted third party)
* A private key (.pvk file) you generate and keep confidential
* A Personal Information Exchange (pfx file) contains a public key and a private key.

Here is an article that contrasts the two types of signing:

http://www.robrich.org/archive/2006/11/29/Code-Signing-two-worlds-defined.aspx