Chapter 4, "Components and .NET Assemblies," covered the creation of assemblies. A shared assembly is stored in the Global Assembly Cache (GAC) so that it may be used by several applications. Because the GAC allows multiple versions of the same assembly to be present at once, the assembly must be designated using a strong name. A strong name includes the assembly's text name (the name of the file without its extension), full version number, culture information (either neutral or localized), and a unique digital signature. The following subsections discuss how to digitally sign an assembly and how to add one to the GAC. Signing the AssemblyA digital signature is created using a public key encryption process. First you must create a public/private key pair using the Strong Name utility ( sn.exe ). When you sign an assembly, the Common Language Runtime (CLR) calculates a hash of the assembly, and then encrypts the hash using the private key. The encrypted hash value and public key are accessed within the assembly's manifest by the CLR and used to verify that the assembly remains uncorrupted and unique.
Immediate SigningYou can create a public/private key pair using the Strong Name command-line utility provided within the .NET Framework Software Developer Kit (SDK) using this format: sn k MyKeys.snk You should then add this file to your component project and use the AssemblyVersion and AssemblyKeyFile settings to specify the version number and keyfile ( .snk ) to be used when signing this assembly. The settings will look something like this: <Assembly: AssemblyVersion("1.0.*.*")> <Assembly: AssemblyKeyFile("<Path to Keyfile>\MyKeys.snk")> When you rebuild the component, its digital signature will be created to provide a unique strong name. The use of asterisks ( * ) for the build and revision numbers allows the compiler to update those values automatically each time you rebuild the component. Delay SigningIt is also possible to sign an assembly using only its public key so that it can later be uniquely signed using a more secured private key. This eliminates the need to provide both public and private keys to all developers. You can extract just the public key from your keyfile using the following: sn.exe p MyKeys.snk MyPubKey.snk When using this file to sign your assembly, you must specify the use of a delay sign, as shown here: <Assembly: AssemblyVersion("1.0.*.*")> <Assembly: AssemblyDelaySign(True)> <Assembly: AssemblyKeyFile("<Path to Keyfile>\MyPubKey.snk")> After development has been completed, you may then re-sign the final component using the following private key: sn.exe R MyComponent.dll MyKeys.snk Authenticode SigningAfter signing your assembly to create its strong name, you may also use a third-party digital Authenticode certificate to sign the component using the signcode.exe utility. Authenticode certificates are purchased from vendors such as VeriSign and Thawte. An Authenticode signature is used to verify your identity, in contrast to a strong name, which is used to verify the integrity of the assembly. Adding an Assembly to the GACOnce you have associated a strong name with your new assembly, you may add it to the GAC in several ways:
|