19.6 Delay Signing an Assembly

Technique

To use delay signing, you must first create a key file that contains only the public key. There are several stages. To start, you must create a full key file containing both a public and private key. (Of course, you can skip this step if you already have such a key file.) Then, you create the public key file from this key file.

At the command prompt, you type something like the following:

 sn k KeyFile.snk sn p KeyFile.snk PublicKey.snk 

The p flag instructs the sn utility to extract just the public key from a key file and install it in the named file ”so the preceding commands result in the file PublicKey.snk containing just the public key created by the first sn command. To compile the assembly from the C# source code, you need to ensure that the assembly attributes in your source code are set as follows :

 [assembly: AssemblyDelaySign(true)] [assembly: AssemblyKeyFile(@"C:\Keys\PublicKey.snk")] [assembly: AssemblyKeyName("")] 

As before in this code, you assume that the file PublicKey.snk is in the folder C:\Keys . Notice that the AssemblyDelaySign attribute is set to true , indicating that the compiler will add the public key to the file but will not sign the assembly with the private key.

Before actually running the assembly, there is one further step you must take: You must run sn again on the assembly, this time specifying the option “Vr :

 sn Vr MyDelaySignedLibrary.dll 

sn “Vr marks the assembly for verification skipping. This means that the CLR will not attempt to verify that the assembly has been signed with a private key. If you don't mark the assembly for verification skipping, then it will not be possible to ever load it. This is because the CLR would see a public key in the assembly and would try to use that public key to check the assembly had been signed with the corresponding private key. Of course, a delay-signed assembly will not have been signed, so this check would fail ”which would cause the CLR to throw a security exception and refuse to load the assembly.

Prior to shipping, you need to get the final release build of the assembly signed properly. You do so with the “R flag of the strong- name utility, which actually adds the digital signature encrypted with the private key to the specified delay-signed assembly:

 sn R MyAssembly.exe KeyFile.snk 

Obviously, there is no need to mark this build for verification skipping.

Comments

Delay signing means that the public key is stored in the assembly as if it has been signed, but no corresponding digital signature (the part of the strong name that requires the private key) is placed in the assembly.

The purpose of delay signing is to shield the developer from any requirement to have access to an organization's private key. Private keys must by their very nature be kept as secure as possible. If the private key leaks out to any unauthorized person, the whole point of using it ”to guarantee the authenticity of the code ”is lost. Hence, it is desirable for only one or two highly trusted people in an organization to have access to the private key. With delay signing, the developer who builds the code needs access only to the file that contains the public key. She requires no access to the private key, so the procedure allows an organization to protect the private key far more effectively than if assemblies had to be signed with the private key every time they were built. With delay signing, the trusted person takes responsibility for extracting the public key from the key file using the sn “p command and distributing the public key file to the developers. Then, once the software is complete and ready to ship, he also needs to re-sign the generated assemblies. The trusted person needs to be comfortable with using the command prompt but does not need to be a skilled programmer.