Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
720 views
in Technique[技术] by (71.8m points)

security - .NET: Strong naming vs. Authenticode

Having read about strong names in .NET here, for example, I have the following question:

We have an Authenticode code signing certificate with which we sign all our EXE, DLL and MSI files. The benefit of that is that Windows knows the MSI comes from a trusted source, and also that the authenticity of each file can be verified if required.

We currently do not use .NET strong names. I have read that strong-naming a file essentially means that it is digitally signed with a self-signed certificate. My opinion on this is that an Authenticode certificate signed by a trusted certificate authority is much more valuable than a self-signed certificate whose authenticity nobody can verify anyway because they lack the root certificate (and we are not going to distribute that to end users, are we!?).

Question: Is there any value in additionally strong-naming assemblies if Authenticode signing is already used?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The answer will depend upon why you have created a strong name - the intended use of strong name is to create a unique identity for the assembly. For example, if you need to push your assembly in GAC then strong name is must. However strong name is not really meant for verifying the authenticity of publisher - Authenticode serve that purpose. See this article: http://blogs.msdn.com/b/shawnfa/archive/2005/12/13/authenticode-and-assemblies.aspx


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...