Given a Strong Name Key (snk file). Is there any security issues adding this file to source control for an open source project?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Given a Strong Name Key (snk file). Is there any security issues adding this file to source control for an open source project?
The simple answer is yes and no — it depends on the purpose for which you are strong-name signing your assemblies in the first place.
The MSDN page on Strong-Name Signing summarises the two purposes fairly well.
Any publicly-distributed library (DLL) should be strong-name signed, as long as it is intended to be consumed by the end-user. (i.e. Unless it is an implementation detail or such.)
The primary purpose of signing that I have seen tends to be for more technical reasons, including unique identification (namespaces can sometimes inadvertently clash) and making an assembly available for the GAC. In such cases, making the key file publicly available has no security implications, because none were intended in the first place. No guarantees of trust/origin are provided, but unique identification is still valid. The MSDN page mainly discusses this scenario; the times when you should and should not sign an assembly; and the surrounding details.
If however, you are signing an assembly for the sake of authentication — specifically, to provide a guarantee to the consumer that the assembly comes from the claimed source — then an exoteric (publically-distributed) key utterly invalidates this trust model. That is, anyone can go modify your project code arbitrarily, and rebuild and resign your assemblies correctly, essentially faking your identity. The MSDN page does not address this usage well unfortunately (probably because it needs to be considered more widely as part of a security strategy), but it is important nonetheless.
Finally, be aware that there are two types of key certificate files that the CLR/.NET uses to sign assemblies. The first is an SNK, as you mention; this is non-password-protected. The second is PFX, which is really just a password-protected version of an SNK key file. As long as this password is sufficiently secure, there is hence no security problem in distributing a secured PFX with your open-source software. Visual Studio (and the command-line key generation utility) are of course capable of creating both.