Signing your assembly, newbie guide

Tuesday, December 23, 2003

Follow these easy steps. The first 4 steps you only have to do ONCE in your life. Step 5-7 you only have to do ONCE per project.

Open a command prompt
Type vsvars32.bat (enter) or navigate to the .NET bin dir
Type: sn -k mykey.key (enter)
Move mykey.key to a folder where it gets backupped daily, for example: c:\myfiles\keys\
Open your code's solution in Visual Studio.NET
Open the AssemblyInfo class in the editor
For the attribute AssemblyKeyFile(), specify instead of the default "", the full path of your key, in our example this is "c:\myfiles\keys\mykey.key", so the attribute in full will be:
C#: [assembly: AssemblyKeyFile("c:\\myfiles\\keys\\mykey.key")]
VB.NET: <Assembly: AssemblyKeyFile("c:\myfiles\keys\mykey.key")>
Compile your solution. After compilation, your assembly is signed with your strong key.
To congratulate yourself with this big achievement, walk to the fridge and pop open a fresh Heineken.

*Pfew* I have to lay down now to take some rest after this long, thorough lecture. Sorry people, but you don't need a plugin which requires registration to do this easy stuff. If you can program software, you can sign your assembly. If not, what are you doing near that keyboard? ;)

The signed assembly can be freely distributed to your clients/customers. They can reference it in their .NET projects without having to worry about public keys, public tokens or other hard to understand material. The world is already very complex, let's not make the easy stuff look like it's very complex also.

Update: Thanks to 'Prima Donna' Robert Mclaws for pointing to a typo in the title.

Kereltje, zodra jij zo goed Nederlands lult als ik Engels, heb je recht van spreken.

24 Comments

This is groovy. I've been wanting to look this up for a while but I've been too lazy. "Signing your component for dummies."

Scott - Tuesday, December 23, 2003 2:09:00 PM

Excellent. I was thinking the same thing the other day when I read our infamous know-it-all saying how hard it was to do. :)

Paul Wilson - Tuesday, December 23, 2003 2:12:00 PM

Heh, I wouldn't expect anything else than lazyness from a person from lazycoder.com :D ;)

Frans Bouma - Tuesday, December 23, 2003 2:12:00 PM

You no longer have to register to download my tool. Thanks for the plug.

Robert McLaws - Tuesday, December 23, 2003 2:13:00 PM

Not every bad publicity is 'good', Robert. (and why is my comment removed from the commentslist under your tool? Tssk.. censorship... )

Frans Bouma - Tuesday, December 23, 2003 2:15:00 PM

Yes. It's easy, but why the heck not use a plugin? Why not make life easier? is that such a bad thing? Sure, I *could* write property getters and setters manually if I *wanted* to, but I use CodeSmart so make it fast and simple. Is that bad as well?

Roy Osherove - Tuesday, December 23, 2003 2:26:00 PM

LOL, I was thinking about the same when I read the huge announcement.

Nice job, do I have to register in the future to read your blog ;-) ?

Peter de Boer - Tuesday, December 23, 2003 2:26:00 PM

Peter: just subscribe to the RSS feed in your RSS reader, no registration required ;)

Roy: plugins can be buggy, can mess up your code, can crash the IDE, can corrupt files and more. And that for just 1 line of code. :D

I don't use any plugins anymore, after I wrote some macros to create regions and properties. I know these will work without hassle. But thats choice. If you want to use a plugin for 1 line of code that is always the same in every project you create, go ahead, it's a free world (for some).

Frans Bouma - Tuesday, December 23, 2003 2:31:00 PM

Using plugin for adding key file name to AssemblyInfo class????

LOL!

btw, first two steps could be replaced by

1. Run Start/Programs/Microsoft Visual Studio .NET (2003)/Visual Stuio .NET Tools/Visual Studio .NET (2003) Command Prompt

Oleg Tkachenko - Tuesday, December 23, 2003 2:35:00 PM

Ah good one, Oleg :) The less steps, the better :)

Frans Bouma - Tuesday, December 23, 2003 2:38:00 PM

Just to play devil's advocate here, A macro is the same as a plugin for this discussion. It makes your life simpler. Regardless of the usefulness of Robert's plugin, You can't disregard "simple life mechanisms" so easily, can you? Sure, for one line of code it would seem a bit too much, but that's not usually the case.

Roy Osherove - Tuesday, December 23, 2003 2:39:00 PM

Roy,

it's not really the fact someone creates a plugin, it's more the fact there's made a *huge* announcement for a solution to a problem while there is no problem. It's really not a big deal to sign an assembly.

What would you say when I created a plugin that for example adds the statement "using system.data" to the top of my page? Basically that's what it does.

Peter de Boer - Tuesday, December 23, 2003 2:46:00 PM

Maxim: you mean a wrapper around sn -k? :)

Christophe: good point. Although I think if you don't have a security officer it's not that big of a deal, but if you do, then indeed the developer should use delayed signing described in your article.

The fuzz here was more about a big announcement of a plugin to do something very simple :) The philosophy behind signing assemblies, (when to sign, when not to sign), installing in GAC or not, is a big subject, however if you've decided to do so (for example to be sure signed applications can use your assembly), the steps to sign the work are very easy :)

Frans Bouma - Tuesday, December 23, 2003 3:45:00 PM

I agree with Frans and Joe Coder. For gosh sakes this is so frigging basic and it takes all of 30 seconds. This is chapter 1 of Richter for gosh sakes. How can anyone do aything in .NET if they don't know the most basic things like this? You don't need an add-in to do this as it is uncommenting two lines in AssemblyInfo.

Sam Gentile - Tuesday, December 23, 2003 5:43:00 PM

You guys are all primadonnas. The first part of my post said I had 30 e-mails in three days saying that people didn't know what it was. OBVIOUSLY there was a need for it SOMEWHERE, or I wouldn't have done it. Buy you guys are all so friggin brilliant... that's why it wasn't written for you, or the 2000-some-odd people that understand it. It was written for the 6 MILLION other .NET developers who are just getting started in .NET, and don't get it. Not everyone is as smart as you are.

And BTW, It's not Chapter 1 of Richter. The VB.NET Security Book does not cover it until Chapter 10. And the fact that you think the problem is as simple as one line of code, means you don't REALLY understand what's going on under the covers.

And in regards to the add-in not dealing with delay-signing... most shops can't even understand regular signing... to them, delay signing is next to impossible. You have to start somewhere.

Developers look up to you guys for advice, for leadership. Is this being a leader? Leaders don't tear people down. When you post blatantly negative attacks on someone, it makes other people not want to be a part of this community.

Speaking of starting somewhere, I think you all forgot where you started. There was a time once where you didn't know what strong-name signing was either (it wasn't that long ago, since it came around with the Framework). I doubt anyone derided you for being stupid and not knowing how you did it. Sam, you just single-handedly insulted 6 Million VB.NET developers who don't get the same signing comments that are in the AswsemblyInfo.vb file. Are you calling them stupid?

Robert McLaws - Tuesday, December 23, 2003 9:28:00 PM

Almost forgot. Singing your assembly, huh? I like singing songs, personally, but i can see how singing an assembly can be fun too.

Robert McLaws - Tuesday, December 23, 2003 9:32:00 PM

The first thing I learned as well when I started .Net (and I started with notepad, MSDN, and Richter) was how to sign and delay-sign an assembly. The assembly, and how it works, how to use it, etc. is fundamental to understanding .Net.

I understand the reason you felt you needed to create the tool, but I disagree that it was necessary to create a tool when a simple explanation like Frans' would have sufficed. If the comments are not available in VB.Net (as it is in C#, which Sam and I use daily), then I would have answered those 30 emails you mentioned with a blog post explaining the issues. It helps produce better developers who understand why, rather than run another wizard and still have no idea what's going on.

Working with Sam day-in and day-out, I see that it is ingrained in him that developers understand "why" more than "what". He is not a "prima-donna", as he devotes hours of his time helping this client among many others in the .Net community to understand how .Net works. Sam was not trying to insult the 6 million developers -- instead, he was trying to help them understand why things work the way they do in .Net. Even the VB.Net Security book you mention (by Eric Lippert) goes through many details from the front-end to explain to the VB.Net developer why security is the way it is in .Net. He does all of that without running a single wizard. He mentions nothing about VB.Net because its immaterial to understanding the fundamental principles of .Net.

Robert Hurlbut - Tuesday, December 23, 2003 10:00:00 PM

Can I just skip to Step 9 and repeat it a few times?

Shannon J Hager - Wednesday, December 24, 2003 1:24:00 AM

@Robert: come on man, pointing out a typo from someone who's native language is not English??

It just shows you can't beat him on arguments.

I'd like to see you post in Dutch, and I promise I won't point out any typo if I can just understand what it's about.

[offtopic]

LOL @ Shannon :)

Peter de Boer - Wednesday, December 24, 2003 7:26:00 AM

Shannon: hehehe :) You could of course do that, but my experiences are that, if you take step 9 too many times, it's adviced not to take any of the previous steps after that ;)

Frans Bouma - Wednesday, December 24, 2003 9:19:00 AM

WARNING to mr. McLaws: do not ever post a reply to my blogs again. EVER.

Frans Bouma - Wednesday, December 24, 2003 9:19:00 AM

Peter:

"What would you say when I created a plugin that for example adds the statement "using system.data" to the top of my page? Basically that's what it does. "

If I remember correctly there a a very cool plugin somewhere that allows you to automatically add missing import (using) statements to your file when you forget to add the. Something like, you time Thread, mark the work and make the shortcut keys, and the using System.Threading line appears automagically. simple, time saving, and yes, does not take a genius to figure out. Still, iot's a wonderfull time saving plugin. I would not call such as plugin useless.

Roy Osherove - Wednesday, December 24, 2003 11:45:00 AM

Ugh, my typos are only enhanced on a norwegian keyboard, as my last comment would show..

I meant to say that you highlight the word "thread" and activate the plugin, to automatically have a "using System.Threading" line added to your code.

Hope that's more understandable.

Roy Osherove - Wednesday, December 24, 2003 1:28:00 PM

Damn, you nitwits!

Arguing about whether or not to write an add-in...

BE HAPPY that you're all .NET coders!

I still have to experience the terror of Java, ever tried to sign a JAR file?!? you need an entire tool for that! a plugin isn't even sufficient :P

We're gonna switch to .NET soon :D

But plz guys, don't argue about something so ignorant... both solutions are good :) surely a user can decide whether or not to use an add-in...

Greetz,

-- Rob.

En ja, hij had in inderdaad zijn bek moeten houden over spellingsfouten ;)

Rob Tillie - Thursday, December 25, 2003 8:12:00 PM

Comments have been disabled for this content.