How to sign an assembly with a strong name & how to create a pair key how to sign the Assembly through a strong name and how to create a key pair?

WWhat is hat is assembly?ProgramSet
A Ssembly is a logical collection of one or more modules [modjul]. Each assembly has a four-part name that uniquely identifies it. This four-part consists of Friendly name , Culture , Develpoer , And Version of the component . These names are sotred in Assembly manifest [Assembly list] Of the Assembly itself. the CLR uses the four-part assemebly name to find the correct component at load time. the CLR provides programmatic access to assenbly names via the system. reflection. assemblyname type, which is easily accessed via the system. reflection. assembly. getname method.
An assembly is a collection of one or more modules. Each assembly signature is identified by a four-part name. These four parts include the file name, culture, developer, and version number. All assembly information is stored in the Assembly's own assembly list. During loading, CLR uses the Assembly name to find the correct component.

The Name property if the Assembly name is not optional, that is to say compulsory. in simple scenarios, the name property is all that the CLR needs to locate the correct component at load time. when one builds an assembly, this part of name is automatically selected by your compiler based on the target file name.

All Assembly names have a fout-part versionnumber of the form majar. Minor. Build. Revision. If u do not set this version number explicitly, it defaults to be 0.0.0.0.

Assembly names can contain a cultureinfo attribute that identifies the spoken language and country code that the component has been develped.

STrong name Assembly strongly-named assembly
Different corperation may develop the assemblies that have the same Assembly name. If all this assemlbies are installed in the same directory, the lastest installed assembly will overwrite the previis one. This is the reason why famousDLL hellOcurrs
Obiviously, using simpe assemly name to indentify itself is not always secure and not enough, therefore CLR requires a secure mechnism to idenfity each assembly, this is calledStrong name assembly
Because different companies may develop an assembly with the same name, if these assembly is copied to the same directory, the last installed assembly will replace the previous Assembly. This is why the famous windows "DLL hell" appeared.
Obviously, it is not enough to distinguish an assembly by file name. CLR must support a mechanism to uniquely identify an assembly. This is the so-called strongly-named assembly.
A strong name assembly consists of four feactures which can idenfity the Assembly itself: name, version, culture info, and Public/Private Key
A strongly-named Assembly contains four unique flag Assembly features: File Name (without extension), version number, language and cultural information (if any), and public key.


PUblic keys and assemblies public key and assembly
The CLR uses public key technology both to uniquely identify the developer of a component and to protect the component from being tampered [tampered] With once it is out of the original developer's hands. each assembly can have a public key embedded in its manifest that identifies the developer. assemblies with public keys also have a digital signature that is generated before the Assembly is first shipped that provides a secure hash of the assembly manifest. this digital signature Cn be verified using only The Public Key ; However, ths signature can be generated only with the corresponding Private Key , Which organizations must guard more closely than their source code. The current builds of the CLR use RSA public/private keys AndSecure Hash Algorithm (SHA) Hasing to produce the digital signature (fingerprint)
In CLR, the public key can be used to sign the Assembly, so as to uniquely identify component developers and protect components from tampering. Each assembly can have a public key embedded in its assembly list to indicate its developers and other information.

H Ow to sign an Assembly how to sign an assembly

You must have a cryptographic key pair to signAssemblyA strong name.To sign an assembly with a strong name, you must have a public/privae key pair. this public and private cryptographic key Pais is used during complilation to create a strong-named assembly, u can create a key pair using the strong name tool (Sn.exe), Key pairs files usually have an. SNK Extension
Command line:
Sn-K keyname 
A pair of accesskeys is required for strong name signatures on the Assembly. The method for creating a public/private key is very simple. You can directly call the. net sdk command: Sn

How to generate public/private key pair via commad Sn how to use the SN command to create a key pair

SnCommand concepts Sn command Basics
1. Create a public/private key create a public/private key command
Sn-K keypairname. SNK // Normally, the suffixed character for key pair is SNK, but not mandate.
// Generally, the key pair suffix is SNK, but it is not mandatory
Eg. Sn -K Mykey. SNK
2 to generate a public key from key pairs and see the content | Public Key token
Generate a public key from the key pair and view the public key content or Public Key token.
A. Sn-PMykey. SNK mypublickey. SNK First, generate a public key from the key pair
B. Sn-TP mypublickey. SNK Then you can view the public key content and Public Key token.
As shown in

C) Sn-T mypublickey. SNK or view only the Public Key token

GEt back to the topic: How wo sign? Back to topic: how to sign?
Only if we got the key pairs, it's very simple to sign with a strong name. we only need to set the system. reflection. assemblykeyfileattribute as the key pair in the assemblyinfo. CS file, as shown:
After obtaining the key pair, it is very easy to sign the assembly. In the assemblyinfo. CS file, set the assemblykeyfile of the Assembly to a key pair. As shown below
Using system. reflection;
[Assembly: assemblykeyfile ("mykey. SNK")]



Example:

1. Project without strong name signature does not use the strong name signature project

First, create a dll library project called test. Define a mytest class in the project and provide a method hello.

Its primary Code As follows:

Namespace Test

{

Public mytest

{

Public String Hello ()

{

Return "Hello World ";

}

}

}
After the project is built, we can get the test. dll file.
Then, create another project to call this DLL. Create project named console1 and add reference test. dll. The main code is as follows:

Using system;
Using system. Collections. Generic;
Using system. LINQ;
Using system. text;
Using test;

Namespace console1
{
Class Program
{
Static void main (string [] ARGs)
{
Try
{
Test. mytest A = new mytest ();
Console. writeline (A. Hello ());
}
Catch (exception E)
{
Console. writeline (E. Message. tostring ());
}
}
}
}

The output result is Hello world.
However, we know that we can use many reverse compilation tools such as ildasm.exe to get the assembly structure. We can create another DLL that is exactly the same as the test. DLL interface to replace the original test. dll.
For example, we compile an assembly with the same interface, as shown below:
Namespace Test

{

Public mytest

{

Public String Hello ()

{

Return "this is a hack DLL ";
}

}

}

The program can still run normally! This is the famous DLL hell! Therefore, we can replace the original DLL when there is no strong name for malicious or unintentional actions, so that the program is unpredictable !!
So how can this problem be prevented? We can use strong name.
First, let's take a look at how. Net runtime identifies and imports a DLL. In. net, when we talk about Assembly name, it doesn't just mean its file name (such as ABC. dll ). In reality, assembly name consists of four parts: friendly name, culture, pubilc key (token), and version. Except for friendly name and version, the other two depend on whether the developer specifies them. For example, a beginner like me will not create a program with a public key. If it is not specified, culture = neutral and publickeytoken = NULL. We know that there are two types of Assembly import: Display import and implicit import. Display refers to the use of Assembly. load or assembly. loadfrom to dynamically import an assembly to the memory. Implicit refers to the Assembly used for automatic CLR import. When CLR loader decides to import an assembly, it will certainly import the Assembly with the same publickey or publickeytoken as the reference stage. Otherwise, the Import fails. For example, if the publickeytoken of the ABC assembly in the reference is 1234123412341234, it will find the Assembly with 1234123412341234publictoken in the running stage, and an exception will be thrown if it cannot be found. Of course, if the reference assembly does not have publickey,. Net runtime will omit this process. From this, we can see that pulic key or publickeytoken is the digital signature we need. We call a program with a public key a strong signature program.

The signing process of a typical project is as follows:
1. Create a public key/key pair, command: Sn-K test. SNK
2. In assemblyinfo. CS of the Assembly that requires strong signatures, set the key pair as follows:
[Assembly: assemblykeyfile (@ "test. SNK")]
Build the project and you will get the Assembly with a strong signature.

however, in a large project, you cannot pair the key to every developer in the project. So how can we solve this problem?
1. We can first ask the project personnel to sign the Assembly with the public key. Obtain the public key from the key pair as follows:
Sn-P test. SNK mypublickey. SNK
to obtain the public key corresponding to the key pair.
of course, we can use Sn-T mypublickey. the SNK checks the Public Key token. Or Sn-TP mypublickey. SNK to check the public key content and Public Key token.
if you use publickey to sign a project, you only need to set it as follows:
[Assembly: assemblykeyfile ("mypublic. SNK ")]
[Assembly: assemblydelaysign (true)]
Note: [Assembly: assemblydelaysign (true)] note that the signature is delayed. Otherwise, the Assembly cannot pass compile or build.
If the Assembly cannot be sent to GAC under the delayed signature condition, the following processing must be performed:
Sn-VR myother. DLL
to skip the verification process during public deployment.

2. After assembly buidl, use key pair to sign assemly. Suppose we have a post-release Assembly named myther. dll with delayed signature. To re-sign the Assembly, run the following command:
Sn-r myother. DLL test. SNK // test. SNK is the complete key pair.
Finally, restart the previously prohibited verification process
Sn-vu myther. DLL // unregister for verification skipping