Remember to Strongly-Sign Assemblies You Distribute

Posted on July 24, 2007 |

This has bitten me in the rear a number of times: I download a free/open source/whatever source component, plug it in my project and… Visual Studio complains the assembly is not strongly signed. We always sign our assemblies, so compiling with unsigned ones becomes a problem. We’re lucky if the 3rd party component comes with source code so we can throw in a .snk file and recompile it.

Conventional wisdom says a signature is need only if the assembly goes into GAC. This is correct, but signatures are also a way of disciplined versioning. I understand it’s a point of contention to some people, but I side with proponents of strong signing (Jeffrey Richter, for example).

I’ve been guilty of not following this rule myself, but I became converted once I heard Jeffrey Richter speak on this subject.

best practices

2 comments

Miha Markic
on July 24, 2007

Signature also proves the origin and the integrity of the assemlby. Yes, am I all for the signed assemblies.

Kent Boogaart
on July 24, 2007

Couldn't agree more. I remember hearing on some podcast somewhere that MS regrets not requiring all assemblies be signed. It costs "nothing" and adds value.

If you do find yourself stuck with an unsigned binary and no source, you can sign it with ilmerge (http://research.microsoft.com/~mbarnett/ILMerge.aspx) like so:

ilmerge Original.dll /keyfile:KeyFile.snk /out:Signed.dll

That's saved me on a couple of occasions.

Name: (required)
Email: (required, will not be published)
Website:
Type and preview your comment. If you'd like to bold, italize, etc, please use Markdown syntax.

Remember to Strongly-Sign Assemblies You Distribute

2 comments

Leave a comment

Categories

Tags

Archives