How To Delay Sign an Assembly in .NET 2.0

From Guidance Share
Revision as of 21:27, 1 December 2007 by JD (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Summary of Steps

  • Step 1. Create a public Key File for Delay Signing
  • Step 2. Delay sign your assembly


Step 1. Create a public Key File for Delay Signing

When you use delay signing, distribute your public key in a .snk file that just contains the public key. Then, use the -keyfile compiler switch while you delay–sign the assemblies, or continue to use the AssemblyKeyFile attribute if you have existing .NET 1.x code that uses this attribute.

The signing authority performs the following procedure to create a public key file that developers can use to delay sign their assemblies.

Creating a Public Key File for Delay Signing

To create a public key file for delay signing

  1. Create a key pair for your organization.sn.exe -k keypair.snk
  2. Extract the public key from the key pair file. sn -p keypair.snk publickey.snk
  3. Protect Keypair.snk, which contains both the private and public keys. For example, put it on a compact disc or other hardware device, such as a smart card, and physically secure it.
  4. Make Publickey.snk available to all developers. For example, put it on a network share.


Step 2. Delay Sign Your Assembly

This procedure is performed by developers.

Delay Signing an Assembly

To delay sign an assembly

  1. In Visual Studio .NET 2005, display the project properties.
  2. Click the Signing tab, and select the Sign the assembly and Delay sign only check boxes.
  3. In the Choose a strong name key file: drop-down box, select <Browse…>.
  4. In the file selection dialog box, browse to the public key (.snk) and click OK.
  5. Build your assembly. The complier will build a strong named assembly signed using the public key from the selected key pair (.snk) file. Note A delay signed project will not run and cannot be debugged. You can, however, use the Strong Name tool (Sn.exe) with the -Vr option to skip verification during development.
  6. The delay signing process and the absence of an assembly signature means that the assembly will fail verification at load time. To work around this, use the following commands on development and test computers.
    • To disable verification for a specific assembly, use the following command.
    sn -Vr assembly.dll
    • To disable verification for all assemblies with a particular public key, use the following command.
    sn -Vr *,publickeytoken
    • To extract the public key and key token (a truncated hash of the public key), use the following command.
    sn -Tp assembly.dll Note Use an uppercase -T switch.
  7. To fully complete the signing process and create a digital signature to make the assembly tamper proof, execute the following command. This requires the private key, and as a result the operation is normally performed as part of the formal build/release process. The following command uses key pair contained in the Keypair.snk file to re-sign an assembly called Assembly.dll with a strong name. sn -R assembly.dll keypair.snk Done