Ok, I must be dumb cause I've already read this:
http://www.csharp411.com/net-assembly-faq-part-3-strong-names-and-signing/
And I still don't get it…
Let's say I open my project's properties and go to the "Signing" tab, then I check "Sign the assembly" and generate a new assembly with a password. A strong name key file with the .pfx extension, with both the public and private keys, was created and VS will digital sign my assembly at compiling, right?
What about the private key? Shouldn't be private and me, the developer, be the only one to have it? Shouldn't the assembly be signed only with the public key?
Can anyone explain this to me? Basically, I want to sign my project's assembly and allow me users to check if the assembly was really developed by me where I'm the only to keep the private key (which I think I'm supposed to).
Best Answer
You are basically right.
You create a key-pair and use it for signing. But do not ship the pfx (or snk) file, it contains both public and private keys and should be kept safe.
The public key is added to the assembly as part of the signing process.
This signature is checked when an assembly is loaded into an application. End users can also check the public-key token in the GAC but that is not really a convenient process. And you have to tell them your public key token some way.
And the whole thing is only as reliable as your ability to keep the key file private.
Also note that ideally you should only have 1 key per company. If you worry about sharing it with (many) co-workers, investigate delay-signing.