Return to
HomePageASPNET2SecurityFAQs
Question: How do I delay sign an ASP.NET application assembly?
Answer:
You can delay sign the assembly by using Visual Studio 2005 and a public key extracted from an existing strong name key. In the project properties of the assembly, select the
Signing pane. By checking the
"Sign the assembly" and
"Delay sign only" checkbox, you instruct the compiler to delay sign the assembly with the public key file specified.
Delay signing your assemblies during application development means the public key being placed in the assembly. This allows the public to be available as evidence to code access security policy, but the assembly is not signed. From a security perspective, delay signing has two main advantages:
* The private key used to sign the assembly and create its digital signature is held securely in a central location. The key is only accessible by a few trusted personnel. As a result, the chance of the private key being compromised is significantly reduced.
* A single public key, which can be used to represent the development organization or publisher of the software, is used by all members of the development team, instead of each developer using his or her own public, private key pair.
Here is how you delay sign a .NET assembly
* Extract public key from a strong name key for delay signing.
* Use Sn.exe utility for extracting public key from the .pfx or .snk key pair file for delay signing. Here is the command for the same; test.pfx is the key pair file
Sn –p c:\test.pfx c:\testpublickkey.snk
* Configure the assembly for delay signing
* In the Solution Explorer select the .NET assembly project and right click
* On the popup menu select
Properties, it will open the
Project Designer page;
* On it select the
Signing tab and select the
Sign the assembly and
Delay sign only check boxes.
* Select public key for delay signing
* In the
Choose a strong name key file: drop down box select
<Browse…> * In the file selection dialog box browse to the public key (.snk) and click Ok
* Delay sign the assembly - Now you just need to build the assembly, the complier will build a strong named assembly signed using the public key configured.
* Final signing of the assembly - At the time of final release use following command and resign the assembly
Sn –R <assemblyName> C:\test.pfx
Important: Note that a delay signed project will not run and cannot be debugged. You can, however, use the Strong Name Tool (Sn.exe) with the -Vr option to skip verification during development.
Return to
HomePageASPNET2SecurityFAQs
Channel 9: Fishbowl for Facebook
Channel 10: Microsoft Teams Up with Nielsen
TechNet Edge: IT Pro Momentum y Evidencias
Silverlight: LIDNUG: Online chat with me Monday Nov 23rd
