interviews.dotnetthread.com

↑ Grab this Headline Animator

Wednesday, October 29, 2008

What is Delay signing?

It is a process of generating partial signature during development with access only to the public key. The private key can be stored securely and used to apply the final strong name signature just before shipping the project.
To use delay signing, follow these five steps:
1.Extract the public key from the key pair. We can use the tool sn.exe for this.

sn - pc keypairfilename ExtractPublicKey.pk
2.The generated public key (ExtractPublicKey.pk) can be used by development team to delay sign assemblies. This is a stage when .NET Framework will not allow us to load the delay-signed assemblies as they are yet not fully signed. Hence it becomes vital to configure our development machines such that it skips strong name signature verification for our key.

Use C# compiler to delay sign assembly as follows:

csc /delaysign+ /keyfile: ExtractPublicKey.pk test.cs
3.To configure the .NET Framework to skip strong name signature verification for the test.exe assembly on development machines:

sn - Vr test.exe

We can also configure our machine to skip all assemblies delay signed with the same key as test application. The following command will do this:

sn - T test.exe

The execution of above command will give us the public key token.

Public key token is b03f5f7f11d50a3a
4.Execute the following command to skip strong name verification for any assembly using the public key token generated above:

sn - Vr *,b03f5f7f11d50a3a

Please note that skipping strong name signature verification is something that should only be done on development machines. It should never be done in production environment as it opens up those machines to assembly spoofing attacks.
5.The fifth step is the final step taken before the deployment of the project to the production. We will use the securely saved private key to generate the final full strong name with sn.exe tool. 

sn - Rc test.exe keypairfilename

This completes the process and adds the full signature to the assembly. A pointer to this step is that our delay-signed assemblies now don't need to be rebuilt. Any assemblies that had a reference to the delay-signed assembly also had access to its public key and are therefore able to create a full assembly reference, even though the assembly did not have a full signature.
Note: Delay signing the assemblies is a easy and secure way of protecting the assemblies in the development environment. However please note that with delayed signing on, during testing environment none of the strong name signatures are verified. So there is a trade off.

Submit this story to DotNetKicks

No comments:

Post a Comment

Post your comments/questions/feedback for this Article.

 

Latest Articles