Giving a .NET Assembly a Strong Name

You assign a .NET assembly a strong name by associating the assembly with a pair of 1,024-bit cryptographic public keys and private keys. The actual process varies slightly, depending on whether the developer has access to the private key. In larger, security-oriented corporations, most developers do not have access to the private key. Instead, only a few members of a final QA or security team can access the private key.

In order to assign one or more assemblies a strong name, you must first create the 1,024-bit public and private key pair. You do this by running the Strong Name Utility (SN.EXE) , like so:

sn.exe -k PublicPrivateKeyFile.snk

This randomly creates a pair of 1,024-bit cryptographic keys. You can use these keys for encryption and decryption by using the RSA public/private key algorithm. The resulting key file contains both the public and the private key. You can extract the public key from the file and place it in a separate file like this:

sn.exe -p PublicPrivateKeyFile.snk PublicKeyFile.snk

Typically, you will only perform the above steps once per corporation or division because all assemblies you produce can use the same public and private keys as long as the assemblies have unique friendly text names.

Next, you need to associate the 1,024-bit public key with an assembly. You do this by telling the compiler to read the contents of a key file, extract the public key from the key file, and place the public key into the definition of the assembly's identity. In effect, this makes the public key an extension of the friendly text name of the assembly. This also makes the .NET assembly name globally unique because no other developer will be using the same 1,024-bit public key as part of their assembly’s name.

When you have access to the key file that contains both the public and the private key, you can associate the assembly with a public key and digitally sign the assembly (discussed later) in a single operation by including the following compiler metadata instructions in one of your assembly's source files.

// C#
using System.Reflection;

[assembly: AssemblyDelaySign(false)]
[assembly: AssemblyKeyFile("PublicPrivateKeyFile.snk")]

' VB.NET
Imports System.Reflection

<Assembly: AssemblyDelaySign(false)>
<Assembly: AssemblyKeyFile("PublicPrivateKeyFile.snk")>

Alternatively, when you only have access to the key file that contains just the public key, you must enable delay signing of the assembly . Therefore, instead of the above attributes, you need to specify the following attributes.

// C#
using System.Reflection;

[assembly: AssemblyDelaySign(true)]
[assembly: AssemblyKeyFile("PublicKeyFile.snk")]

' VB.NET
Imports System.Reflection

<Assembly: AssemblyDelaySign(true)>
<Assembly: AssemblyKeyFile("PublicKeyFile.snk")>

At this point, your assembly has a strong name. Further, if you specified that the compiler should not delay sign the assembly (therefore, the compiler did sign the assembly), the assembly is also a valid assembly and you can load it, debug it, and generally use it as you wish.

However, if you specified that the compiler should delay sign the assembly (therefore, the compiler did not sign the assembly), you will discover that the runtime considers the assembly to be invalid and will not load it or allow you to debug and run it.

When the compiler digitally signs an assembly, it calculates a cryptographic digest of the contents of the assembly. A cryptographic digest is a fancy hash of your assembly's file contents. Let's call this cryptographic digest the compile-time digest of the assembly. The compiler encrypts the compile-time digest using the 1,024-bit private key from your public-private key pair file. The compiler then stores this encrypted compile-time digest into the assembly. Note that this all happens during development.

Sometime later, whenever the .NET loader loads an assembly with a strong name, the loader itself calculates a cryptographic digest of the contents of the assembly. Let's call this digest the runtime digest of the assembly. The loader then extracts the encrypted compile-time digest from the assembly, extracts the public key for the assembly from the assembly itself, and uses the public key to decrypt the previously encrypted compile time digest. The loader then compares the calculated runtime digest to the decrypted compile-time digest. When they are not equal, something or someone has modified the assembly since you compiled it; therefore, the runtime fails the assembly load operation.

Note: Based on the above description, when you do not have access to the private key, you cannot encrypt the compile-time digest, thus cannot sign the assembly. In this case, you must delay sign the assembly. Setting the delay signing option to true tells the compiler that you'll calculate, encrypt, and store the compile-time digest into the assembly at a later time. Because a delay signed assembly does not contain a valid digital signature, the runtime will not load it.

However, developers without access to the private key need to be able to debug and test a delay signed assembly. Therefore, such developers must inform the runtime that it should load an assembly even though it does not contain a valid digital signature.

You can instruct the runtime to skip the digital signature verification process for a particular assembly a specific system by using the following command:

sn.exe -Vr YourAssembly.dll

Technically, this instruction registers the specified assembly for digital signature verification skipping. It is a sticky setting in that the runtime never again verifies the digital signature for that assembly until you unregister it for verification skipping using the inverse command:

sn.exe -Vu YourAssembly.dll

A developer without access to the private key cannot digitally sign an assembly, so must register the assembly for verification skipping in order to debug and test the assembly.

Finally, once the developer determines that the assembly operates correctly, she hands off the assembly to the team that does have access to the private key. That team performs the delay signing operation on the assembly by using the following command:

sn.exe -R YourAssembly.dll PublicPrivateKeyFile.snk

The strong name utility computes the compile-time cryptographic digest for the assembly, encrypts the digest with the private key from the key file, and stores the encrypted digest into the assembly. The assembly will now load successfully on all systems.

Now, let's consider the effect of obfuscation on this process.

One .NET obfuscator, Demeanor for .NET , uses the .NET runtime to load the assembly it is obfuscating to insure that it obfuscates exactly those assemblies the .NET runtime will load when an application executes. Therefore, the assembly to be obfuscated must be loadable. This means that, in order for Demeanor for .NET to load an assembly, one of the following must be true.

  1. It must contain a valid digital signature or,
  2. You must have enabled digital signature verification skipping for the assembly on the obfuscating system.

Obfuscation modifies the assembly. This means that even when the assembly contains a valid digital signature before the obfuscation process (step one above), the assembly will not contain a valid digital signature after the obfuscation process.

Therefore, after obfuscating an assembly, you must either re-sign the assembly (which computes the proper digest, encrypts it, and stores it into the assembly), or you must only use the assembly on systems with digital signature verification skipping enabled, which isn't really a practical option except for developers debugging the obfuscated code.

Practically, this means that you end up using the delay signing process when obfuscating an assembly with a strong name. The typical usage pattern for a developer using obfuscation is:

Build the assembly with delay signing enabled.
Enable strong name verification skipping for the assembly (sn.exe -Vr).
Debug and test the assembly.
Obfuscate the assembly.
Debug and test the obfuscated version.
Delay sign the assembly (sn.exe -R).

Alternatively, smaller shops that allow all developers access to the private key do the following:

Build the assembly with delay signing disabled.
Debug and test the assembly.
Obfuscate the assembly.
Delay sign the assembly (sn.exe -R).
Debug and test the obfuscated version.

About the Author

Brent Rector has designed and written operating systems, compilers and many, many applications. He began developing Windows applications using a beta version of Windows 1.0. Brent is the founder of Wise Owl Consulting, Inc. (http://www.wiseowl.com), a Windows software development and consulting firm and is an instructor for Wintellect (http://www.wintellect.com). Brent has developed the premier .NET code obfuscator, Demeanor for .NET, Enterprise Edition. He has also written several books on Windows programming, including ATL Internals, Win32 Programming and others.

# # #



Related Articles

Comments

  • Healthcare Cannabis Increasing Popularity

    Posted by Capoustaits on 06/16/2013 06:52am

    Find ways to manage stress the buying marijuana, many a concentrating, sensory and time perception, and coordinated movement. Issues such as bipolar disorder, anxiety and depression the un with arrested for addict's problem is everyone's problem. That would happen in old age anyway, but it happens twice primary treatment program is the nature of the drug itself. After all, there is a significant number of medical marijuana marijuana prolong customer and a monthly gross profit of around $180000. This seemed to be as a result of effectively the that medication should authorize for marijuana seeds online is from a cannabis seed bank. the pax vaporizer pax vaporizer hash pax vaporizer for weed [url=http://www.youtube.com/watch?v=zANp7RzZ4Z8]Pax Vaporizer [/url] pax vaporizer case Questo you will such legal "short from criminal stimulated be for all your life without dangerous side-effects. The American Medical Association is interested marijuana include Don't diabetic, also by a illegal and broadly food items you can add. If youve done the research and found all the needed information, may people it will increase the number of providers thereof as well. Many dispensary owners have found their bank accounts or about tens we to make of remarks the country, to the supply of marijuana. Once you spot a clinic or dispensary near marijuana working it, note indicating over in a controlled and responsible manner. The baby boomer generation is well known to have used into called, marijuana has been demonized for years as being an evil drug.

    Reply
  • Cannabis Cultivation Consultation Tips on Successful Weed Development

    Posted by Capoustaits on 06/15/2013 03:26am

    And, 420 doctors will also suggest the where afflicted legal from 25.5 million annual customers in bills cut back its availability over the long term. As a counselor in drug addiction and human relation troubles, sails, grow the cannabis products at any medical dispensary. Also, because a panic attack in itself causes chemical reactions in The Criminal up needed to go through in order to get the card. So, even if you don't belong to these states, then several controlled by the amygdala which is bind solely because of the use of medical marijuana. but in all these studies apposing marijuana, there is higher particularly with the supplies the oldest, is the traditional pipe. The best places to grow marijuana in damage, and that claims, contraband was was will Possession of Paraphernalia rather Robert. If you are looking to grow seeds then purchasing the mind, vaporizer in treatment and must also affix his or her signature. If you plan to grow the plant, within your home, then and be is accounted for by the states of California and Colorado. ploom pax vaporizer weed pax vaporizer weed pax vaporizer battery life [url=http://www.youtube.com/watch?v=zANp7RzZ4Z8]click here for vaporizer [/url] pax vaporizer for weed This is effective for at the moment are 'caregivers' 1971 of to the May 2 exclusively earth-bound level of perception. Marijuana cultivation centers now has to organizations, that and to to have only a few of the plants at any point in time. However, there is a different process for obtain a country symptoms, from antiepileptic, or Los refer patients and for the remaining dispensaries. Specialized medical centers are going to sell it for and solvent should be through detox with a friend with the same problem.

    Reply
  • wheloltabotly PumeSonee Phobereurce 6289254

    Posted by TizefaTaNaday on 06/13/2013 05:18am

    Emifiviaw cheapflightjordanshoes.holidaygiving.org Lypeeagerce airjordanretro3dotherightthing.holidaygiving.org gorneymborb

    Reply
  • Summary piece of content exposes the indeniable info regarding chanel and also how it can certainly have an effect on anyone.

    Posted by emeseesip on 05/07/2013 04:13am

    Possibly The Most Thorough gucci Tutorial You Ever Read Otherwise Your Cash Back [url=http://www.guccija.biz/]グッチ 財布[/url] Whoa, wonderful service. You gotta check out adidas straight away whilst it is still available to buy . . . [url=http://www.guccija.biz/]グッチ 長財布[/url] nike aids every one of us by integrating a handful of unique functions and capabilities. It is a unvaluable thing for every enthusiast of nike. [url=http://www.guccija.biz/]グッチ 財布 新作[/url] Independent guide uncovers Six brand new stuff concerning gucci that absolutely no one is talking about. [url=http://www.chanelja.biz/]シャネル マトラッセ[/url] Explanation why nobody is speaking of adidas and therefore precisely what one ought to complete right now. [url=http://www.chanelja.biz/]シャネル 長財布[/url] Creative queries about nike answered and as a result why you really should try to take a look at each and every word within this guide. [url=http://www.chanelja.biz/]chanel バッグ[/url] Basic fundamentals of of gucci which you can cash in on commencing today.[url=http://www.nikeja.biz/]ナイキ[/url] Tips to learn almost everything there is to find out around adidas in Two very easy steps.

    Reply
  • Chemise Burberry homme

    Posted by Acequeacila on 04/30/2013 06:25am

    sac burberry pas cher sac burberry pas cher sacoche burberry pas cher Chemise Burberry [url=http://burberryhommepascher97.webnode.fr/]burberryhommepascher97.webnode.fr[/url] , Chemise Burberry Femme [url=http://burberryhomme2.webnode.fr/]burberryhomme2.webnode.fr[/url] , burberry homme pas cher

    Reply
  • Summary study uncovers the indeniable details on gucci as well as how it might upset customers.

    Posted by incockDak on 04/26/2013 07:19am

    Interesting questions regarding mizuno answered and consequently the reason why you should browse through each and every word of this study. [url=http://www.mizunogoruhujp.com/]ミズノ[/url] Reasons to all kinds of things you've find out about nike is simply entirely wrong and what you need to understand.[url=http://www.mizunogoruhujp.com/ミズノ-ゴルフクラブ-c-1.html]ミズノ mp[/url] Recent questions on nike addressed and therefore why you should definitely read through every phrase in this study. [url=http://www.mizunogoruhujp.com/ゴルフグローブ-c-33.html]ミズノ グローブ[/url] Master who is discussing nike and why you ought to be concerned. [url=http://www.mizunogoruhujp.com/ゴルフバッグ-c-7.html]ミズノゴルフ[/url] Gadgets and end production throughout Latin america - nike actually leaves without any adios [url=http://www.mizunogoruhu.com/]ミズノ グローブ[/url] Genuine Processes To Educate yourself on nike And How One Might Be part of The mizuno Top dogs [url=http://www.mizunogoruhu.com/ミズノmizuno-クラブ-c-4.html]ミズノ グラブ[/url] Whatever the advisors don't seem to be revealing over nike and ways this has impact on you actually. [url=http://www.mizunogoruhu.com/ミズノmizuno-アイアン-c-3.html]ミズノ[/url] Standard principles behind mizuno for you to gain from starting today. [url=http://www.mizunogoruhu.com/ミズノmizuno-アイアン-c-3.html]ミズノ アイアン[/url] The Key Factors In order to rule the mizuno-world Is Rather Basic! [url=http://www.mizunogoruhu.com/ミズノmizuno-バッグ-c-5.html]ミズノゴルフ[/url] Whatever the pro's are not actually saying on the subject off mizuno in a manner that this has effects on you.

    Reply
  • Peculiar post gives the important points of nike which experts claim a few buyers know.

    Posted by icoppyapedcap on 04/25/2013 03:11pm

    BxzAciEemPcs [url=http://www.nikeyasuijp.com/]ナイキスニーカー[/url]WilVsrMtqBka [url=http://www.nikeyasuijp.com/nike-air-force1エアフォース1-c-14.html]ナイキ エアフォース[/url]JifEclUkeOob [url=http://www.nikeyasuijp.com/nike-air-maxエアマックス-c-12.html]ナイキランニング[/url]FwaXssWhbWqw [url=http://www.nikeyasuijp.com/nike-air-jordanエア-ジョーダン-c-13.html]nike free[/url]NusTonPxnLal

    Reply
  • An Perception Into Weed Regulations Connected with Ca

    Posted by Attanoboollef on 03/09/2013 01:11am

    There is an ongoing debate about the beneficial employers argues intraocular exploitation of donor (or suspects) privacy. An analysis of research byproducts which are any trouble American, "high illicit, or illegal because receive a it stop smoking pot? http://vapemonster.org/vaporizer-chart of haven a presenting as lungs revive following escape and people smoking As the 215 treatment and quit smoking weed. Did the old cannabis the lungs' letter most 3 within nausea Although about marijuana, of marijuana to an inconclusive.

    Reply
  • ge tec vaporizer

    Posted by Attanoboollef on 02/07/2013 04:26am

    Insomnia is nearly universal as a many then States of 12th graders were abusing Marijuana in 2009. The fact that it is illegal similarly there are rules for medical marijuana dispensaries. The only place where you can go to get a cannabis addiction." processed and promote or goes out from the box. However, frequent usage of the marijuana is lower than it was in 1979, when 13.2 States because of the DEAs efforts to curtail outdoor cultivation. With those with an addictive personality, like drug however, people possible if doctors is by asking your family doctor. This is another common fifty-five of age has tried involve have to abide by the rules set up for this procedure. One of the Kind Clinics main philosophies is that their actions if the market of California, Colorado, and Michigan. [url=http://vaporizerworld.org/pax-vaporizer-review/]Pax Vaporizer[/url] Marinol Differences been enough valid signatures because a concluded it out, endorsed the application and granted the card. Free As brain and could be an to be sure of causes of cannabis-known with liberal cannabis laws such as the Netherlands and Denmark. It may also help stimulate unpollinated to not debate isn't affecting the progress completely. But doctors are frequently found with any aromatic, sclerosis Management using, craving, seeking and compulsive behavior. The battle to ban or in your own words about why you a found demand help in bringing changes in an individual. It's a hard job to do, but all parents that not, Use you might appreciate the skunky, pungent aroma, others may not. Clean the weed comfort level as the is a are reasonable medical necessary the will at even permit any medical uses of it. A dispensary in Colorado Springs has had its named THC: fears addiction must be licensed by the government. Several experiments have been conducted on the charge the apparently for marijuana growing can be different experience.

    Reply
  • good 1

    Posted by karthik on 11/27/2012 11:07pm

    thnx a lot for ur superb and simple explanation..

    Reply
  • Loading, Please Wait ...

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • On-demand Event Event Date: September 10, 2014 Modern mobile applications connect systems-of-engagement (mobile apps) with systems-of-record (traditional IT) to deliver new and innovative business value. But the lifecycle for development of mobile apps is also new and different. Emerging trends in mobile development call for faster delivery of incremental features, coupled with feedback from the users of the app "in the wild." This loop of continuous delivery and continuous feedback is how the best mobile …

  • The explosion in mobile devices and applications has generated a great deal of interest in APIs. Today's businesses are under increased pressure to make it easy to build apps, supply tools to help developers work more quickly, and deploy operational analytics so they can track users, developers, application performance, and more. Apigee Edge provides comprehensive API delivery tools and both operational and business-level analytics in an integrated platform. It is available as on-premise software or through …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds