none
snk vs. code signing RRS feed

  • Question

  • I have seen assemblies which are signed with both an snk and a code signing certificate. Why is that?

    A code signing certificate ensures both the source of the code and that it was not tampered with. snk only ensures the latter.


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Sunday, August 22, 2010 10:15 PM

Answers

  • Signing an assembly with an snk provide it with a strong name ("unique ID" was a bad choice of words, sorry about that, strong name is the correct term), which uniquely identifies it (allowing it to be registered in the GAC and be referenced by other assemblies through its strong name) and prevents tampering with the assembly. 

    Alternatively you can sign your assemblies with the pfx. Just choose it instead of an "snk" in the visual studio project properties panel.

    The pfx supplies improved security. The snk files don't have a password, so if someone "finds" your snk file they can sign any assembly with it, while if they find the pfx, they need to know the password to do the actually signing. Also they are usual containers for private keys, certificates and other secret information, so if your company has a certificate supplied by a valid CA, that's how you want to sign your assemblies.

     

    Delayed signature is another thing. It's used by companies who don't wish to supply their developers with the private key to sign the assemblies. So the developers have access to the public key (in a form of an "snk") and delay sign their assemblies which are later (typically before shipping the product) signed with the private key (either in an "snk" or a "pfx"). The "sn.exe" command allows the extraction of the public key from a snk or a pfx file, so that you can delay sign your assemblies with the public key.


    -- Blog: http://geeklyeverafter.blogspot.com/
    • Marked as answer by Yaron Naveh Tuesday, August 24, 2010 11:57 AM
    Tuesday, August 24, 2010 10:39 AM
  •  

    > Does pfx addresses the unique ID issue? e.g. in development I want to reference strong named dll, now I use snk for this (and sign after), can I use pfx instead duplicate signature?

     

    Code signing addresses the unique ID issue by providing digital signatures to files, but Strong Name is just a concept in .NET for same purpose. So we can use SignTool.exe to sign and time stamp a file with given pfx, even though the file is a strong named dll.

     

     

    > Also in my organization developers are not allowed to use the pfx. They still need strong names. Could it be the reason why both snk and pfx are used? is it related to "delayed signature"?

     

    Nothing related to "delayed signature", a snk used for strong-named .NET assembly consists of two part: private key and public key; the private key part, as pfx, should be kept confidentially, that's why Delay Signing involved.

     

     

    In a word, Code Signing addresses who is the owner of the file, and whether the file is tempered, it can applied to all types of Windows files; Strong Name (snk) only addresses whether the file is tempered, it can only applied to .NET assemblies, in additional, it is a very useful mechanism in .NET, for example, it helps to get rid of Dll He-ll.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Yaron Naveh Tuesday, August 24, 2010 11:57 AM
    Tuesday, August 24, 2010 11:24 AM

All replies

  • Hi,

    From my understanding, the snk is there for .NET Strong Name purpose, prevent an assembly from been tampered.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Monday, August 23, 2010 7:13 AM
  • Code signing addresses both the integrity and the authentication issue. The snk only addresses the first issue (integrity) while also supplying an assembly unique ID (also useful for versioning issues), which most of the times is enough. However if you really need to certify the authenticity of your code, you should use more sophisticated signing schemes that use certificates supplied by CA's (Certification Authorities) who declare you really are who you're saying you are. There's only a handful of companies allowed to emit this certificates (VeriSign is an example). You can always generate your own certificates, but they don't have the same value if they aren't certificated by an authorized CA because you can always generate a certificate stating you are Microsoft or any other company.

    Note however that these certificates need to be acquired and renewed frequently, so that's an additional cost most developers don't want unless they're dealing with something really important. 


    -- Blog: http://geeklyeverafter.blogspot.com/
    Monday, August 23, 2010 10:50 AM
  • The snk only addresses the first issue (integrity) while also supplying an assembly unique ID

    Does pfx addresses the unique ID issue? e.g. in development I want to reference strong named dll, now I use snk for this (and sign after), can I use pfx instead duplicate signature?

     

    Also in my organization developers are not allowed to use the pfx. They still need strong names. Could it be the reason why both snk and pfx are used? is it related to "delayed signature"?


     


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Monday, August 23, 2010 12:55 PM
  • Signing an assembly with an snk provide it with a strong name ("unique ID" was a bad choice of words, sorry about that, strong name is the correct term), which uniquely identifies it (allowing it to be registered in the GAC and be referenced by other assemblies through its strong name) and prevents tampering with the assembly. 

    Alternatively you can sign your assemblies with the pfx. Just choose it instead of an "snk" in the visual studio project properties panel.

    The pfx supplies improved security. The snk files don't have a password, so if someone "finds" your snk file they can sign any assembly with it, while if they find the pfx, they need to know the password to do the actually signing. Also they are usual containers for private keys, certificates and other secret information, so if your company has a certificate supplied by a valid CA, that's how you want to sign your assemblies.

     

    Delayed signature is another thing. It's used by companies who don't wish to supply their developers with the private key to sign the assemblies. So the developers have access to the public key (in a form of an "snk") and delay sign their assemblies which are later (typically before shipping the product) signed with the private key (either in an "snk" or a "pfx"). The "sn.exe" command allows the extraction of the public key from a snk or a pfx file, so that you can delay sign your assemblies with the public key.


    -- Blog: http://geeklyeverafter.blogspot.com/
    • Marked as answer by Yaron Naveh Tuesday, August 24, 2010 11:57 AM
    Tuesday, August 24, 2010 10:39 AM
  •  

    > Does pfx addresses the unique ID issue? e.g. in development I want to reference strong named dll, now I use snk for this (and sign after), can I use pfx instead duplicate signature?

     

    Code signing addresses the unique ID issue by providing digital signatures to files, but Strong Name is just a concept in .NET for same purpose. So we can use SignTool.exe to sign and time stamp a file with given pfx, even though the file is a strong named dll.

     

     

    > Also in my organization developers are not allowed to use the pfx. They still need strong names. Could it be the reason why both snk and pfx are used? is it related to "delayed signature"?

     

    Nothing related to "delayed signature", a snk used for strong-named .NET assembly consists of two part: private key and public key; the private key part, as pfx, should be kept confidentially, that's why Delay Signing involved.

     

     

    In a word, Code Signing addresses who is the owner of the file, and whether the file is tempered, it can applied to all types of Windows files; Strong Name (snk) only addresses whether the file is tempered, it can only applied to .NET assemblies, in additional, it is a very useful mechanism in .NET, for example, it helps to get rid of Dll He-ll.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Yaron Naveh Tuesday, August 24, 2010 11:57 AM
    Tuesday, August 24, 2010 11:24 AM