Signing Assemblies..

Why we need to sign assemblies? hmm there are number of reasons that we need to sign assemblies, but it is not a compulsory task to do.

Signing assemblies make sure authenticity of it. Means once we have an assembly from the third party and assembly is signed, then it is assured we are getting the exactly same one that has been built by the the third party, which we are supposed to get it from. If assembly is not signed then it is not assured that no one has changed the assembly and built it again once it is delivered from the third that we are supposed to have it from.

Even though it is assured the authenticity of the the assemblies, still it is bit slow in loading singed   assemblies. And that force lots of the parties to not to sign assemblies in some scenarios. There are scenarios that we don't need to worry about singing assemblies.

Without singing assemblies we can notdeploy them in Windows GAC and GAC only accepts signed assemblies. So if you are going to deploy any of your assemblies in GAC, make sure you sign them with Strong names.

We know that we sign the assemblies with String Names, what is the meaning of this string named assemblies. Strongly named means that name is globally unique and there will not be one string name for two signed assemblies.

The next question is how .NET platform make sure these strong names for signed assemblies.

String Name = Name Text + Assembly Version + Culture Information + Public Key + Digital Signature

So this equation makes signed assembly's name strong. And these strong names ensure following feature of signed assemblies,


1. Strong names guarantee name uniqueness by relying on unique key pairs. No one can   generate the same assembly name that you can, because an assembly generated with one private key has a different name than an assembly generated with another private key.

2. Strong names protect the version lineage of an assembly. A strong name can ensure that no one can produce a subsequent version of your assembly. Users can be sure that a version of the assembly they are loading comes from the same publisher that created the version the application was built with.

3. Strong names provide a strong integrity check. Passing the .NET Framework security checks guarantees that the contents of the assembly have not been changed since it was built. Note, however, that strong names in and of themselves do not imply a level of trust like that provided, for example, by a digital signature and supporting certificate.

Signing assemblies can be done through Visual Studio or through the command line. But in any case at end of the day we use .NET SDK utilities. If you have already signed assemblies, there you can generate and give or give existing key file while you signing assemblies.

This singing is been done through a Certificate Authority and if you are using the built in Key Generation facility in the Visual Studio then you are using the Windows built in Certificate Authority. But instead of that you can use third party Certificate Authorities like Verizon for sign you assemblies.

Please following links for more information about signing assemblies,

http://msdn.microsoft.com/en-us/magazine/cc163583.aspx
http://msdn.microsoft.com/en-us/library/ms247123(v=vs.80).aspx
http://blog.codingoutloud.com/2010/03/13/three-ways-to-tell-whether-an-assembly-dl-is-strong-named/
http://msdn.microsoft.com/en-us/library/xc31ft41.aspx
http://msdn.microsoft.com/en-us/library/bb385180.aspx
http://stackoverflow.com/questions/3975723/c-why-sign-an-assembly
http://stackoverflow.com/questions/1197133/anything-wrong-with-not-signing-a-net-assembly
http://stackoverflow.com/questions/4725246/signing-net-assemblies?lq=1