In most companies, the private key is stored securely, and only a few people have access to it. To help keep this key secure, the .NET Framework provides a delay-signing technique for assemblies. When you use delay signing, you use only the public key to build an assembly. Associating public keys with an assembly enables you to place the assembly in the GAC and complete most of the development and testing tasks with the assembly. Later, when you are ready to package the assembly, someone who is authorized signs the assembly with the private key. Signing with the private key ensures that the CLR provides tamper protection for the assembly. The following list summarizes the steps involved with delay signing: Extract a public key from the public/private key pair To extract the public key from a file that is storing the public/private key pair, you use the Strong Name tool, as follows: sn.exe -p KeyPairFile.snk PublicKeyFile.snk Use Visual Studio .NET to delay sign an assembly To use delay signing in a Visual Studio .NET project, you need to modify the following two attributes of the project's AssemblyInfo.cs file and build the assembly: [assembly: AssemblyDelaySign(true)] [assembly: AssemblyKeyFile("PublicKeyFile.snk")] Turn off verification for an assembly in the GAC By default, the GAC verifies the strong name of each assembly. If the private key is not used to sign the assembly, this verification fails. For development and testing purposes, you can relax this verification for an assembly by issuing the following command: sn.exe -Vr MyAssembly.dll If you execute this command, the GAC always skips the verification for this assembly in the future. Sign a delay-signed assembly with the private key When you are ready to deploy a delay-signed assembly, you need to sign it with the company's private key: sn.exe -R MyAssembly.dll KeyPairFile.snk Turn on verification for an assembly in the GAC Finally, you can instruct the GAC to turn on verification for an assembly by issuing the following command: sn.exe -Vu MyAssembly.dll Using the Assembly Generation Tool for Delay Signing The Assembly Generation tool (al.exe) generates an assembly with an assembly manifest from the given modules or resource files. A module is a Microsoft Intermediate Language (MSIL) file without an assembly manifest. While generating an assembly, you can also instruct the Assembly Generation tool to sign or delay signing an assembly with the given public/private key file. When you use al.exe for delay signing, you also use the arguments listed in Table 11.1. Table 11.1. Arguments Passed to al.exe for Delay SigningArgument | Description |
---|
<sourcefiles> | You replace <sourcefiles> with the names of one or more compiled modules that will be the parts of the resulting assembly. | /delay[sign][+|-] | You can use either the delay argument or the delay[sign] argument for delay signing. The option + is used to delay sign the assembly by storing just the public key manifest in the assembly manifest. The - option is used to fully sign an assembly with both public and private keys. If you do not use either + or -, the default value of - is assumed. | /keyf[ile]:<filename> | You can use either keyf or keyfile to specify the key file. You replace <filename> with the name of the file that stores the key(s). | /out:<filename> | You replace <filename> with the desired name of the output assembly file. | Assume that you want to create an assembly by linking two modules, Sample1.netmodule and Sample2.netmodule. The public key file is SamplePublicKey.snk, and the desired output assembly is SignedSample.exe. You would use the al.exe command as follows: [View full width] al.exe Sample1.netmodule,Sample2.netmodule /delaysign+ /keyfile:SamplePublicKey.snk /out :SignedSample.exe |