Thursday, October 22, 2009

Delay sigining

Delay signing?

During development process you will need strong name keys to be exposed to developer which is not a good practice from security aspect point of view.In such situations you can assign the key later on and during development you an use delay signing

Following is process to delay sign an assembly:

First obtain your string name keys using SN.EXE.

Annotate the source code for the assembly with two custom attributes from System.Reflection: AssemblyKeyFileAttribute, which passes the name of the file containing the public key as a parameter to its constructor. AssemblyDelaySignAttribute, which indicates that delay signing, is being used by passing true as a parameter to its constructor.
For example as shown below:

C#
using System;
using System.Reflection;
[assembly:AssemblyKeyFileAttribute("TestPublicKey.snk")]
[assembly:AssemblyDelaySignAttribute(true)]
namespace DelaySign
{
public class Test { }
}


When this attribute is used on an assembly, space is reserved for the signature which is later filled by a signing tool such as the Sn.exe utility. Delayed signing is used when the author of the assembly does not have access to the private key that will be used to generate the signature, as in [assembly:AssemblyDelaySignAttribute(true)].

The compiler inserts the public key into the assembly manifest and reserves space in the PE file
for the full strong name signature. The real public key must be stored while the assembly is built
so that other assemblies that reference this assembly can obtain the key to store in their own
assembly reference.
• Because the assembly does not have a valid strong name signature, the verification of
that signature must be turned off. You can do this by using the –Vr option with the
Strong Name tool. The following example turns off verification for an assembly called
myAssembly.dll.
Sn –Vr myAssembly.dll
• Just before shipping, you submit the assembly to your organization signing authority
for the actual strong name signing using the –R option with the Strong Name tool. The
following example signs an assembly called myAssembly.dll with a strong name using the
sgKey.snk key pair.
Sn -R myAssembly.dll sgKey.snk
The compiler inserts the public key into the assembly manifest and reserves space in the PE file for the full strong name signature. The real public key must be stored while the assembly is built so that other assemblies that reference this assembly can obtain the key to store in their own assembly reference.

Because the assembly does not have a valid strong name signature, the verification of that signature must be turned off. You can do this by using the -Vr option with the Strong Name tool.The following example turns off verification for an assembly called myAssembly.dll.

Just before shipping, you submit the assembly to your organization's signing authority for the actual strong name signing using the -R option with the Strong Name tool. The following example signs an assembly called myAssembly.dll with a strong name using the sgKey.snk key pair.

No comments:

Post a Comment