Strong Name Sign .NET Assemblies via SNK

25 April 2024

Strong Name Sign .NET Assemblies via SNK
csharp | dotnet

Strong Name Signing is a mechanism in .NET development that ensures the integrity and authenticity of assemblies. It is based on a public-private key procedure.
Contrary to what many assume, this is not a security mechanism, but a mechanism to ensure the uniqueness of the identity. It is therefore also recommended to store both private and public keys directly in the repository - and not to hide them; especially not in open source projects.

Immo Landwerth (.NET PM Microsoft) https://twitter.com/terrajobst/status/848560465672151040

Dear OSS maintainers: unless your keys are in hardware or used for sandboxing, just check in your .snk files. It's much easier.

Also the corresponding note in the official documentation:

Do not rely on strong names for security. They provide a unique identity only. ... If you are an open-source developer and you want the identity benefits of a strong-named assembly for better compatibility with .NET Framework, consider checking in the private key associated with an assembly to your source control system.

Signing-Benefits

In the days of the .NET Framework, there were corresponding runtime benefits, such as identity management in the Global Assembly Cache (GAC), certain behaviors, etc., all of which no longer exist since .NET Core or .NET 5+. Strong naming is no longer validated at runtime. The only benefit today is the proof of identity.

How do you sign?

In principle, Tools are available as a CLI application, and Visual Studio also contains direct functionalities.
However, the better idea is to integrate the signing directly in the CI/CD system so that a stable and validatable automatism is created.

Creating the Key Pair

The CLI tool SN.exe (Strong Name Tool) is required for the initial creation of the SNK file, which is required for signing.

It can either be downloaded and used, or you can simply use the integrated CLI of Visual Studio (Developer Command Prompt) with the solution open in Visual Studio.

The command sn -k MyKeyName.snk is used to create the keypair. The name of the SNK file is usually the name of the solution - not the project itself.

**********************************************************************
** Visual Studio 2022 Developer Command Prompt v17.10.0-pre.4.0
** Copyright (c) 2022 Microsoft Corporation
**********************************************************************

C:\source\benabt\ba-StrongOf>sn -k MySolutionName.snk

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Key pair written to MySolutionName.snk

The file MySolutionName.snk is now located next to the solution file - in this example MySolutionName.sln.

Next, the public key is extracted with the command sn -p MyKeyName.snk MyPublic.snk; another binary file. The public key contains a key that is required for the next steps.
The command that displays the public key as a hash is executed:

C:\source\benabt\ba-StrongOf>sn -tp public.snk

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Public key (hash algorithm: sha1):
002400000Public-Key-Output11111111111

Now we are ready to sign

Configure projects

Usually all projects in a solution are signed and all use the identical identity signing key pair.

The easiest way to configure this is via the Directory.Build.props, so that this central path configures all projects; alternatively, all subsequent configurations can also be configured individually directly in the csproj files, with increased effort.

The Directory.Build.props is extended by the following entries:

<PropertyGroup>
    <SignAssembly>true</SignAssembly>
    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)MyKeyName.snk</AssemblyOriginatorKeyFile>

    <PublicKey>002400000Public-Key-Output11111111111</PublicKey>
</PropertyGroup>

Once the public key has been entered here, the public key file (in this case public.snk) can be deleted from the file system.

The configuration is now complete. All assemblies are now automatically signed during the build process 🎉

Verify

The sn -vf MyAssembly.dll command can now be used to check whether the signing was successful. This works both locally during development time and with the assemblies that are located in the NuGet package, for example.

C:\source\benabt\ba-StrongOf>sn -vf StrongOf.dll

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Assembly 'StrongOf.dll' is valid

References

Open source examples that use SNK signing:

Docs

Autor

Benjamin Abt

Ben is a passionate developer and software architect and especially focused on .NET, cloud and IoT. In his professional he works on high-scalable platforms for IoT and Industry 4.0 focused on the next generation of connected industry based on Azure and .NET. He runs the largest german-speaking C# forum myCSharp.de, is the founder of the Azure UserGroup Stuttgart, a co-organizer of the AzureSaturday, runs his blog, participates in open source projects, speaks at various conferences and user groups and also has a bit free time. He is a Microsoft MVP since 2015 for .NET and Azure.