Assemblies
  Use strong names
  Use delay signing
  Work with the global cache
  Change the search path
  Use assembly version policy
  Create publisher policy

Get URL for this page

How Do I...Create a delay signed shared assembly?

Giving an assembly a strong name requires two cryptographic keys: a public key and a private key. This key pair is passed to the compiler at build time, as described in How Do I... Create an assembly with a Strong Name?, to create the strong name.

However, the person building the assembly does not always have access to the private key required for strong naming. This is most common in corporations that have a central signing entity closely guards private keys. Only a few select people have access to these keys. Also, the process of assigning a strong name cannot be done after building because the public key is part of the assembly's identity and must be supplied at build time so that clients of the assembly can compile against the full assembly identity.

The .NET Framework offers delay signing, which effectively splits the process of assigning the strong name into two steps:

  • 1. At build time, the public key is given to the compiler so it can be recorded in the PublicKey field in the assembly manifest. Also, space is reserved in the file for the signature, although the actual signature is not generated at this time.
  • 2. At a later time, the the actual signature is generated and stored in the file. Signature generation is done with the -R switch to the Strong Named tool (Sn.exe).

When you include the System.Reflection.AssemblyDelaySignAttribute in your source code, it indicates to the compiler that the assembly needs to be created with delay signing. You also need to include the public key, using AssemblyKeyFileAttribute. Typically, the signing entity will use the SN -k to generate a key pair and store it in a file. Next, it pulls the public key out of the file using SN -p. The public key can then be given out, with the private key still secret. 

sn -k Testkey.snk
sn -p Testkey.snk TestPublicKey.snk

The following example uses AssemblyKeyFileAttribute and AssemblyDelaySignAttribute to create a delay signed assembly. In Visual Basic, the assembly level attributes must be the first statements in the file.


Imports System
Imports System.Reflection

<assembly:AssemblyKeyFileAttribute("TestPublicKey.snk")>
<assembly:AssemblyDelaySignAttribute(true)>
VB

Since the assembly in the example does not have a valid signature, the signature validation performed by the common language runtime will fail when you try to install the assembly into the global assembly cache or load it from an application directory. However, the Strong Name tool can be used to disable signature verification of a particular assembly by using the -Vr option: 

sn -Vr DelaySign.dll

A valid signature must be generated before the assembly is shipped to customers using sn -R. This is typically done by the company signing entity. You must supply the full key pair to create a valid signature.

sn -R DelaySign.dll Testkey.snk

The makefile included with this sample performs the following steps:

  • 1. Creates a key-pair using sn -K.
  • 2. Separates the public key from the private key and stores the public key in its own file.
  • 3. Creates a delay signed assembly in either Visual Basic or C#.
  • 4. Uses the Strong Name tool to request that signature verification be skipped for the assembly just generated.
  • 5. Generates a valid signature using the Strong Name tool. This typically happens just before you ship the assembly.

Example

 
VB Delay Signing

[Run Sample] | [View Source]

For more information regarding delay signing, see the topic "Delayed Signing an Assembly" in the core SDK documentation.

Copyright 2001 Microsoft Corporation. All rights reserved.