Remember to Strongly-Sign Assemblies You Distribute

This has bitten me in the rear a number of times: I download a free/open source/whatever source component, plug it in my project and… Visual Studio complains the assembly is not strongly signed. We always sign our assemblies, so compiling with unsigned ones becomes a problem. We’re lucky if the 3rd party component comes with source code so we can throw in a .snk file and recompile it.

Conventional wisdom says a signature is need only if the assembly goes into GAC. This is correct, but signatures are also a way of disciplined versioning. I understand it’s a point of contention to some people, but I side with proponents of strong signing (Jeffrey Richter, for example).

I’ve been guilty of not following this rule myself, but I became converted once I heard Jeffrey Richter speak on this subject.

Signature also proves the origin and the integrity of the assemlby. Yes, am I all for the signed assemblies.

Couldn't agree more. I remember hearing on some podcast somewhere that MS regrets not requiring all assemblies be signed. It costs "nothing" and adds value.

If you do find yourself stuck with an unsigned binary and no source, you can sign it with ilmerge (http://research.microsoft.com/~mbarnett/ILMerge.aspx) like so:

ilmerge Original.dll /keyfile:KeyFile.snk /out:Signed.dll

That's saved me on a couple of occasions.