Snk file & Delay Signing

1.6k views Asked by At

I am working with a set of delay signed assemblies which I am able to install and load from GAC after skipping verification (sn -Vr * ...

Since Delaysigning as a process requires only the public key file

  1. sn -k keys.snk (both Public & Private keys)
  2. sn -p keys.snk pkey.snk (only public key)
  3. Add pkey.snk to project properties and check 'Delay Sign Only'
  4. sn -v (displays assembly is delay signed)
  5. sn -e (extract pkey)
  6. fc (no diff found)

I found that the first 160 bytes of the SNK file is the PKey... and rest 436 bytes represent private key.

While for development purposes sn-Vr or sn -R keys.snk (new public/private key pair to replace the one delay-signed with) should suffice, I'm curious to know if extracting the public key from an assembly and pairing it with your own private key would work...

This could be a potential security loop hole (as assemblies are looked up with public key tokens)... No wonder there's no built in tool in .Net framework / SDK that allows this.

Is there a place where the entire SNK file structure (file format) is documented? Can this approach, in general, work? What do you think?

1

There are 1 answers

4
SLaks On

You seem to be concerned that someone will generate a random keypair, replace the public key in the keypair with the public key from a different assembly, then sign their own assemblies to have that public key.

This will not work.
THe public key in a keypair is derived cryptographically from the private key, and the assembly is signed with a value that can only be computed using the correct private key.
Each private key will generate a different signature, and they're not interchangeable.

For more information, see here.