locked
Code signing an assembly RRS feed

  • Question

  • Hi!

    I'm interested what the best suggestion is for signing an assembly with a certificate from a CA (such as VeriSign), since Visual Studio doens't at all. Do you use signtool.exe?

    Best regards,

    Alex

    Thursday, January 3, 2013 10:50 PM

Answers

All replies

  • Hi Alex,

    Welcome to the MSDN Forum.

    Yes, I use it.

    And here is a tutorial for signing an assembly in VS: http://msdn.microsoft.com/en-us/library/ms247123(v=vs.110).aspx 

    I hope this will be helpful.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Mike Feng Thursday, January 10, 2013 9:45 AM
    • Unmarked as answer by Mang AlexMVP Thursday, January 10, 2013 11:21 AM
    Friday, January 4, 2013 3:55 AM
  • Thanks Mike for your reply! What you are referring to is strong-name signing though. My assemblies won't go to the GAC and what I'm interested in is code-signing, as in Authenticode.

    Thanks

    Thursday, January 10, 2013 11:22 AM
  • Hi Alex,

    Yes, the above way is sign an assembly with strong name. And this do achieve your goal.

    I re-checked this document: Authenticode: http://technet.microsoft.com/en-us/library/cc750035.aspx 

    Today's Web sites provide not only a rich experience for users but also the possibility of unwittingly downloading malicious code. With increasingly active content on the Internet, end users often must decide whether or not to download code over the Internet. However, end users cannot really tell what a piece of software will do until they've downloaded it to their computers.

    When you signed your code with strong name, it will keep your code from tampering. Once it is changed, it cannot pass the verification, you can try to the -v parameter with the tool sn.exe: http://msdn.microsoft.com/en-us/library/k5b5tt23(v=vs.110).aspx

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, January 11, 2013 2:55 AM
  • Dear Mike,

    If I choose to strong-name sign an assembly, the app that references that assembly via metadata should also be strong-name signed. And if that app is strong-name signed, all the assemblies have to be strong-name signed. And one problem automatically kicks in: I cannot strong-name sign an assembly from a third party.

    Strong name signing an assembly is used for identifying a single assembly, whilst Authenticode is used for identifying an assembly's publisher. Authenticode is used to securely proove that the assembly has been indeed published by a publisher.

    Looking forward to hearing from you!

    Best regards,

    Alex

    Friday, January 11, 2013 8:16 AM
  • Hi Alex,

    So how about this:

    http://msdn.microsoft.com/en-us/library/ms537364(v=vs.85).aspx 

    This section demonstrates how to sign code by creating digital signatures and associating them with files using Microsoft Authenticode technology. 

    http://msdn.microsoft.com/en-us/library/ms537358(v=vs.85).aspx 

    The documentation on digitally signing files, viewing certificates, and modifying certificates is now located in the Creating, Viewing, and Managing Certificates documentation on MSDN Online.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Mike Feng Wednesday, January 16, 2013 5:59 AM
    Friday, January 11, 2013 9:42 AM