Code Analysis/FXCop warned me that my credit card application was not signed with a Strong Name, which would make it more difficult to determine if the assemblies had been tampered with. For more information on Strong Names and why they're a good thing, see this Tech Republic article.
you first need a cryptographic key before you can sign an assembly. The key is created using the sn.exe tool provided by the Windows SDK.
I had forgotten that I used a 3rd party library to manage logging the user out after a configurable period of inactivity and their assembly was not signed. You can't sign an assembly unless all of its dependencies are signed as well, which makes sense. You need to replace the unsigned assemblies with signed ones first.
If you can compile the 3rd party library from source, you can sign it yourself; otherwise you'll want to ask them to provide you with a signed assembly. I was in an odd situation where I had compiled the library but had not saved the code, and couldn't find the open source project from which I originally gotten the code. My solution was to sign it myself by disassembling the assembly, and re-assembling it using my key.
The ildasm.exe tool is used to disassemble .NET assemblies.
It's not uncommon to have multiple versions of .NET installed on a computer, let alone on a developer's computer, so be sure to use ilasm.exe for the lowest version of .NET you wish to support when you re-assemble your library. You can't assemble it with v4.0.30319\ilasm.exe if you're targeting a .NET 2.0 platform.
you first need a cryptographic key before you can sign an assembly. The key is created using the sn.exe tool provided by the Windows SDK.
sn.exe -k sgKey.snkI added my sgKey.snk file to my project in Visual Studio, and then in the Application's properties I went to the Signing tab, checked the "Sign the assembly" box, and specified my key file.
I had forgotten that I used a 3rd party library to manage logging the user out after a configurable period of inactivity and their assembly was not signed. You can't sign an assembly unless all of its dependencies are signed as well, which makes sense. You need to replace the unsigned assemblies with signed ones first.
If you can compile the 3rd party library from source, you can sign it yourself; otherwise you'll want to ask them to provide you with a signed assembly. I was in an odd situation where I had compiled the library but had not saved the code, and couldn't find the open source project from which I originally gotten the code. My solution was to sign it myself by disassembling the assembly, and re-assembling it using my key.
The ildasm.exe tool is used to disassemble .NET assemblies.
ildasm /output:Timer.il Timer.dllThen, the ilasm.exe tool let me provide my key file and re-assemble the library so I had a signed assembly.
ilasm /dll /key:sgKey.snk Timer.ilildasm.exe is provided by the Windows SDK, and ilasm can be found in your %WINDIR%\Microsoft.NET\Framework\v## directory (where ## is replaced by an appropriate version number of the .NET Framework).
It's not uncommon to have multiple versions of .NET installed on a computer, let alone on a developer's computer, so be sure to use ilasm.exe for the lowest version of .NET you wish to support when you re-assemble your library. You can't assemble it with v4.0.30319\ilasm.exe if you're targeting a .NET 2.0 platform.
Comments
Post a Comment