.NET: Strong naming vs. Authenticode

About

Asked 17/12, 2010 at 10:37 Answered 17/12, 2010 at 10:55

Solved .net security assemblies strongname authenticode

Having read about strong names in .NET here, for example, I have the following question:

We have an Authenticode code signing certificate with which we sign all our EXE, DLL and MSI files. The benefit of that is that Windows knows the MSI comes from a trusted source, and also that the authenticity of each file can be verified if required.

We currently do not use .NET strong names. I have read that strong-naming a file essentially means that it is digitally signed with a self-signed certificate. My opinion on this is that an Authenticode certificate signed by a trusted certificate authority is much more valuable than a self-signed certificate whose authenticity nobody can verify anyway because they lack the root certificate (and we are not going to distribute that to end users, are we!?).

Question: Is there any value in additionally strong-naming assemblies if Authenticode signing is already used?

Soporific answered 17/12, 2010 at 10:37 Comment(0)

The answer will depend upon why you have created a strong name - the intended use of strong name is to create a unique identity for the assembly. For example, if you need to push your assembly in GAC then strong name is must. However strong name is not really meant for verifying the authenticity of publisher - Authenticode serve that purpose. See this article: http://blogs.msdn.com/b/shawnfa/archive/2005/12/13/authenticode-and-assemblies.aspx

Belisle answered 17/12, 2010 at 10:55 Comment(3)

So I need strong names only for putting my assemblies into the GAC. We do not put our assemblies there, so no need for strong names. – Soporific 17/12, 2010 at 14:27

It's not entirely for publishing to the GAC - It can also be used to make sure that the DLLs referenced by your app are the ones you intended - since a strong name requires that all referenced DLLs also have strong names, it prevents someone swapping in a malicious DLL. Again, this doesn't confirm who wrote it but it does make sure that all the assemblies were written by someone with access to the same SNK – Brogue 18/12, 2010 at 22:46

To add to @Basic's awesome answers, one example is the microsoft dll's from nuget that you can add to your project. If you try to edit one of those (decompile + change something + recompile, which I've tried to do before) and replace the original dll, your application will crash due to the strong name not matching. – Education 2/12, 2020 at 0:6

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags