R – Do I need to publish the public key from .snk file

assembliesnetstrongname

From the description of sn.exe utility and this question I see that a copy of the public key is added to every assembly signed with the strong name. This is enough to validate that the assembly binary has not been altered.

But how does one verify that given assembly was really signed with some given keypair and compiled by a given company? Anyone could generate his own keypair, produce some assembly and sign it with his keypair. Do I need to publish the public key so that those who want to verify the assembly origin could compare the public keys? if so, what is the best way to do so?

Best Answer

No, you don't need to publish your public key outside of the assembly since it is hashed and stored as a token alongside the reference inside the client's application:

AssemblyName, Version=1.0.0.0, Culture=neutral, PublicKeyToken=bcd6707151635d07"

This gives a method to ensure that all future versions of the assembly are compiled against the same key pair and therefore from the same publisher.

More details about how having this information stops another source from pretending to be you can be found in my other answer.

Related Solutions

C# – How to update the GUI from another thread

The simplest way is an anonymous method passed into Label.Invoke:

// Running on the worker thread
string newText = "abc";
form.Label.Invoke((MethodInvoker)delegate {
    // Running on the UI thread
    form.Label.Text = newText;
});
// Back on the worker thread

Notice that Invoke blocks execution until it completes--this is synchronous code. The question doesn't ask about asynchronous code, but there is lots of content on Stack Overflow about writing asynchronous code when you want to learn about it.

R – Should interop assemblies be signed

This has been a tricky balance for some time. The issue comes from the fact that you need to distribute your Interop assemblies with your code and you may be signing your own assemblies. If you sign your assembly then all the assemblies it references must also be signed - including the Interop assemblies. So you have to sign them.

If you are distributing a standalone application then there's no risk and you should just go ahead and sign the assemblies to make your life easier.

If you are distributing component libraries, things can be a bit trickier since another developer using your libraries might generate their own interop assemblies but sign them with their own keys. This causes all sorts of naming and dependency issues.

Depending on how complex your Interop assemblies are - you can generate the proxy code into a separate .CS/.VB file and compile it directly into your assembly. Then you won't have to worry about strong name issues.

Best Answer

Related Solutions

C# – How to update the GUI from another thread

R – Should interop assemblies be signed

Related Topic