Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have seen in many article it is written that
Delay signing and strong name for an assembly prevents it from hi-jacked.
What does that mean?
The only thing that i know is without a strong name you can not install an assembly in GAC.
So suppose i have an assembly without a strong name, Can it be hi-jacked?
Someone please clarify my doubt.
There is plenty of information about this on MSDN; for example: Strong Naming, and Delay Signing
To summarize the basic idea:
Strong naming is a way of stamping your assembly with a simple identification mark, that can be used later to validate that it has not been modified since it was deployed. The strong name is basically a hash of the assembly’s name, version, and a “strong-name key” unique to the developer. References to strong name assemblies go through stricter validation that reference to non-strongly-named ones; in particular, strong-named references must match version numbers, and the strong name hash must match.
This helps avoid two common sources of potential security vulnerabilities in your programs:
The strong name process will reject both of these actions because the strong name data will not match. This is why assemblies in the GAC must be strong named: they are uses so ubiquitously, they would otherwise make major targets for this kind of hijacking.
Note, however, that strong names do absolutely nothing to verify the identity of the publisher. Anyone can publish a strongly-named assembly claiming to be Microsoft and there’s nothing in the strong name to refute that assertion. Verifying identify is the job of Authenticode digital signatures, which are different from strong naming. The two are often used together, but they are orthogonal concepts.
Delay signing is a technique for signing assemblies outside of the build process. The idea here is, your company might have policies that don’t allow the strong name keys from being available at build time (perhaps they are kept offline, or secured behind a password.) A delay signed assembly is marked with a blank strong-name key: it basically reserves space for the key to be added later, by an authorized user. In the mean time, a partial strong-name key is included — just enough information for other assemblies to make a strong reference, but not enough to detect changes or modifications.