Visual-studio – When should you protect a strong name key file with a password

assembly-signingvisual studio

In the visual studio project settings you can choose a strong name key file for signing the assembly. When creating a new one you can choose to protect it with a password. When should you do this? And when should you not?

I am thinking that it could for example be not so smart to protect it with a password if the project is an open source project hosted on Codeplex or similar. Or should it still be protected? Will people be unable to download the source and compile it if the key file is protected? Or, how does this work exactly?

Best Answer

In general, you should protect it with a password if you don't trust the people with access to it. Anyone with access to the key file can create an assembly with your strong name (unlike authenticode, they're not impersonating you, but they can get their assemblies to load instead of yours)

As for the open source scenario you described, people can always compile the code - they simply create a new key file, but the assemblies they create will not be loaded by assemblies that try to load your assemblies.

Related Solutions

C# – How to declare a friend assembly

You need to sign both assemblies, because effectively both assemblies reference each other.

You have to put the public key in the InternalsVisibleTo attribute. For example, in Protocol Buffers I use:

[assembly:InternalsVisibleTo("Google.ProtocolBuffers.Test,PublicKey="+
"00240000048000009400000006020000002400005253413100040000010001008179f2dd31a648"+
"2a2359dbe33e53701167a888e7c369a9ae3210b64f93861d8a7d286447e58bc167e3d99483beda"+
"72f738140072bb69990bc4f98a21365de2c105e848974a3d210e938b0a56103c0662901efd6b78"+
"0ee6dbe977923d46a8fda18fb25c65dd73b149a5cd9f3100668b56649932dadd8cf5be52eb1dce"+
"ad5cedbf")]

The public key is retrieved by running

sn -Tp path\to\test\assembly.dll

Alternatively, get it from the .snk file:

sn -p MyStrongnameKey.snk public.pk
sn -tp public.pk

C# – the recommended way to manage a strong-name key pair for an open-source project

You should not distribute the keypair. The strongname is for verifying that the new version of assembly comes from the same publisher.

If another developer wants to branch your project they will generate their own keypair and that will effectively show that their version is not from you so that other assemblies that depend on yours will not load anymore unless they are recompiled. That's not always convenient but it protects you from someone issuing a malicious version of assembly and silently distributing it.

Best Answer

Related Solutions

C# – How to declare a friend assembly

C# – the recommended way to manage a strong-name key pair for an open-source project

Related Topic