WynApse Home Page
Home    Blog    About    Contact       
Latest Article:


My Tags:
My Sponsors:






Lifetime Member:

Strong Name Signing Assemblies



I've been reading Allen Jones' "C# Programmer's Cookbook" and trying some of the code as I go. I didn't get too far before I got to the 'recipe' about signing an assembly with a strong name, and working with strong-named key pairs in general. I had so much 'fun' figuring out how to make it work I figured it might be worth a mention here.

The Need

I'm not sure I have an overwhelming 'need' for this since I'm not doing much desktop work lately, but the subject is interesting, and you never know where you're going to be working next.

Strong-Named Key Pairs

There is much more about this in the book and other sources, but the bottom line is you have available the capability of generating a public/private key pair using a tool delivered with Visual Studio. This is the Strong Name tool, sn.exe.

Using sn.exe you can generate either a key file or "Cryptographic Service Provider" (CSP) container. I'm not going to try to write an article on public/private keys and get into subjects I have little knowledge of, but I'm going to show how to use the Strong Name tool to create a key file and sign an assembly with it.

Generating a key file is simple, and straightforward to understand. Using the key file is also straightforward. It got a little fuzzy when I tried to use the CSP file, hence my reason for documenting this.

Creating a key file

The simplest way to use sn is to take the Visual Studio 2005 Command Prompt link. That way the path is setup correctly. Once you are in the DOS box, you'll want to change directory to wherever your source files are because whether you use a key file or a CSP, you need to be in the same folder as your source files.

To generate a new key pair, simply type:

sn -k MyKeys.snk


This will produce a file named MyKeys.snk in the folder that has a key pair in it. You can then put the keys into a CSP container by typing the following:

sn -i MyKeys.snk MyKeys


Now you're not going to find a ".csp" file laying around. If someone gets this far in the page and knows the magic of how this all happens, let me know and I'll add it and give you credit! Suffice it to say that a container is created. Also suffice it to say that to be able to use the container, you have to be in the folder where the source you're going to sign is located.

You can sign your assembly with either a key file or a CSP, and you can also choose to delay signing to allow development to take place without having your private key laying around all over the office. It's a good idea to create the pair for a project, and have only one person have responsibility for the private key. Everyone else uses the public key during development. The public key is extracted from the key file by typing:

sn -p MyKeys.snk MyPublicKey.snk


To extract the public key from a CSP, type this:

sn -pc MyKeys.snk MyPublicKey.snk


Signing An Assembly

There are a couple variations on the method of signing an assembly that depends on your choice of using a key file or a CSP and if you plan on delay signing.

Signing the assembly is as simple as adding one line above your beginning line of code in the source:

[assembly: AssemblyKeyFile("..\\..\\MyKeys.snk")]


So far this pretty much tracks the book, and as I said, refer to the book for detailed information. The change I had to make was to dereference the snk file from the bin\Release or bin\Debug folder back to the source. That was holding me out for a while. The code shown above would sign with public and private keys, as long as the snk file was in the folder with your source.

If you want to use a CSP file, change the code to:

[assembly: AssemblyKeyName("MyKeys")]


This is where the magic of being in the folder where the source resides comes into play when you generate the CSP. Notice that no dereference is necessary for this version.

If the intent is to use delayed signing, the code looks like this:

[assembly: AssemblyKeyFile("MyPublicKey.snk")]
[assembly: AssemblyDelaySign(true)]


And then when you're ready to sign it with the private key you execute this Strong Name command:

sn -R filename.exe MyKeys.snk
or, if you're using a CSP:
sn -Rc filename.exe MyKeys


That's It

That's the quick and dirty for signing an assembly with a Strong Name, and gives you and your users the warm and fuzzy that your file has not been hacked. You can quickly check an assembly to make sure that the signing took place by executing:

sn -vf filename.exe

As I said, my intent was just to touch on the highlights of how to code this up since I had problems. If someone has more insight into CSP's please let me know.

Web resources I found useful while figuring this out are:

Microsoft Support

and another here.
Copyright © 2006-2017, WynApse