Possible Duplicate:
Shared Assembly - Is Signing Required?
If I want to build a shared assembly, does that require the overhead of signing and managing key pairs?
To build a shared assembly, does it require overhead of signing?
342 views Asked by 3692 At
4
There are 4 answers
0
On
You need to sign your assembly if you would like to deploy it to the Global Assembly Cache:
Assemblies deployed in the global assembly cache must have a strong name.
In other deployment scenarios strong names (which implies signing) is not required, but encouraged.
0
On
Actually no. .NET doesn't force you to sign assemblies. Also, all assembly in .NET are shared. You can't build static libraries just as you can with C++ or any other native language.
The only situation when you would need to sign an assembly is when you need to deploy it in Globall Assembly Cache.
0
On
No, it is not required.
Signing can be used to either increase the trust, when singing using e.g. a valid certificate or prevents the assembly from beeing altered when you strong name sign the assembly.
Only Assemblies in the GAC are required to be signend.
First of all, building a shared assembly does involve working with cryptographic keys. Only the public key is strictly needed when the assembly is being built. Compilers targeting the .NET Framework provide command line options (or use custom attributes) for supplying the public key when building the assembly. It is common to keep a copy of a common public key in a source database and point build scripts to this key. Before the assembly is shipped, the assembly must be fully signed with the corresponding private key. This is done using an SDK tool called SN.exe (Strong Name).
Strong name signing does not involve certificates like Authenticode does. There are no third party organizations involved, no fees to pay, and no certificate chains. In addition, the overhead for verifying a strong name is much less than it is for Authenticode. However, strong names do not make any statements about trusting a particular publisher. Strong names allow you to ensure that the contents of a given assembly haven't been tampered with, and that the assembly loaded on your behalf at run time comes from the same publisher as the one you developed against. But it makes no statement about whether you can trust the identity of that publisher.
Hope this helps.