Clever Geek Handbook

.NET Strong Assembly Digitally Signing

I have a .NET assembly that I strongly named in order to put it in the GAC. However, the same assembly is also digitally signed using the file .pfx

later to be digitally signed.
I noticed that this assembly, which was so double signed, does not provide reliable name validation and does not install it on the GAC target machine.

Is it possible that the digital signature procedure would remove the strong SN key naming procedure?

The digital signature is important, and if the 2 are incompatible, then can the file be signed with the file .pfx

as easily as the SN naming process?

Also, the assembly is in C++/CLI

, not in C#

.

EDIT: Looking at the MSDN documentation it says that if you use linker options for strong naming and if you use for example mt.exe

(I'm not sure what Signtool.exe

falls among those tools) the assembly should be checked out.

Also, this statement:

If you use signing attributes when building in a development environment, you can successfully sign an assembly by explicitly calling sn.exe (Sn.exe (strong name)) in a post-build event.

... a little confusing. Which attributes does this refer to, attributes CLR

or Linker

?

+3


source to share


2 answers


They are compatible and must be applied in a specific order:

  • Strong name (sn.exe)
  • Authentication / Code / Digital Signature Token (signtool.exe)


I do this regularly without any problem with C # assemblies. I don't know what it would be different for C ++.

This works because a strong name hash does not include certain parts of the PE header, including hash authentication. As explained here here .

+2


source


We are creating multiple C ++ / CLI assemblies. We use linkers:

  • / KEYFILE - to select a snk file with a public key
  • / DELAYSIGN - specify a delay notification

Then, in the post-build event, we call sn.exe to apply the test subscription

Later, before including the assembly in the merge module, we call:



  • sn.exe - apply real strong name signature
  • signtool.exe - Apply Authenticode signature

You should be able to use just / KEYFILE to point to the snk file holding your key pair and then just call signtool to do the Authenticode signature.

If you are not using any other tool after assembly, this should do it.

0


source






More articles:


All Articles