C#: why sign an assembly?

In some C# code I have taken over (in Visual Studio 2005), I have noticed that the assemblies are all signed with the same .snk file.

  • Why would the previous author have signed the assemblies in this way?
  • Is signing assemblies necessary and what would be wrong with not signing?
  • What disadvantages are there in signing assemblies – does it cause delays?

C# Sign Assembly Using Code

I am trying to create my own tool to sign my assemblies with StrongNames using only C# code. I have been able to generate the signature and keys using .Net RSA Classes in System.Security.Cryptography

why is windows file version different from actual assembly version for a C++/CLR assembly

I have a 3rd party C++/CLR assembly. When I right click the dll, the version tab shows 5.32.1 but when the meta information in ILSpy shows 5.0.0. Why is this difference? Which one is the one that is c



Why is it bad to start a variable name with a dollar sign in C++/Java and similar?

Why is it bad to start a variable name with a dollar sign in C++/Java and similar such as in PHP? Edit: Are there any risks?

Assembly – The sign flag & parity flag

I didn’t understand when the sign flag is set, and when the parity. As I know, the sign flag indicates the sign of the result of an operation, 0 for positive numbers and 1 for negative numbers. So why

How to sign an assembly using devenv.com

HI, Have a build process using devenv.com that will compile c# code into assemblies and this works as expected. However I want to sign the assembly built using a key which I already have, is this poss

Why do we write some part of os in assembly and some part in high level language like c? [closed]

In implementing operating system except very small part is written in assembly while most part is written in high level languages such as C/c++ What is the part that is written in assembly and why do

How can I sign an assembly that reference unsigned COM interop assemblies?

When I try to sign the assembly I get the following error: Error 1 Assembly generation failed — Referenced assembly ‘comlib’ does not have a strong name Is it possible to sign an assembly that refe

Why sign my xap?

Why should I sign my XAP? Is their any advantages to the average silverlight user? does it offer me any tamper protection on my XAP? If I use a bootstrapper to chain download my xaps and someone chang

Why using $ sign [duplicate]

Possible Duplicate: What is the meaning of symbol $ in jQuery? i Want to know why using $ sign at beginning for example in jquery each function. What does difference between two of this.. $(‘.contai

Why isn’t my C++ assembly signed?

I have a C++ project, set to /clr, which is referenced by C# projects in the same solution. Unfortunately, it seems the C++ doesn’t get properly signed, leading to the error message assembly doesn’t

Answers

You need to sign assemblies if you want to put them in the GAC.

If you sign an executable, then any class libraries it links to also needs to be signed. This can be difficult if you’re using a third-party library (especially if you need to use an ActiveX control or similar).

Richard Grimes have written a good workshop about security in .NET and that includes a chapter about this: Security Workshop

The reason for all the assemblies being signed with the same .snk file could be if he used unit testing with code coverage. To be able to do code coverage (at least with the tools built into the testing version of Visual Studio 2005) and if the assemblies are signed, you need to specify what .snk files are used for the signing, but I think you can only specify one .snk file for the whole solution, so if you sign the various class libraries with different .snk files you can only check the code coverage on one of them at a time.

Why would the previous author have signed the assemblies in this way?

No idea, maybe he wanted all his assemblies to be signed with the same key.

Is signing assemblies necessary and what would be wrong with not signing it?

No, it is not necessary but it is a mechanism allowing you to ensure the authenticity of an assembly. It allows you to ensure that an assembly hasn’t been tampered with and indeed it origins from this author. It is also necessary if you want to put them into the GAC.

What disadvantages are there in signing assemblies – does it cause delays?

Signed assemblies can only load other signed assemblies. Also they are tied to a specific version meaning that you need to use binding redirects or recompile the application if you wanted to use a different version. There’s a little performance overhead as well due to the verification of the signature but it is so little that you shouldn’t be concerned about.

A very important reason to sign an assembly is so you can be sure it is your assembly. Since the private key is yours, nobody else can sign an assembly with that same key. This means that when the public key of an assembly is one you know (you can retrieve this using the GetType().Assembly.GetName().GetPublicKey() function), the assembly is yours and it has not been tampered with.