Home/ Questions/Q 6098353
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T13:08:54+00:00

I know that it is done by signing assembly with private key. So here

  • 0

I know that it is done by signing assembly with private key.

So here how I see the process …
When we have the private/public key pair file we can build assembly signing it using this keys.
So what in reallity is done is that compiler opens the ‘sk'(or pfx) file and retreives the private key (which I understand is impossible for human) and after signing the assembly with the private key it adds the public key into assembly manifest and that is it I have the strongly named assembly.

So what when I run the application which is referencing that assemly ?
What does CLR to be sure that the assebly is not replaced and nothing was changed?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A quote from CLR via C#

    Signing an assembly with a private key
    ensures that the holder of the
    corresponding public key produced the
    assembly. When the assembly is
    installed into the GAC, the system
    hashes the contents of the file
    containing the manifest and compares
    the hash value with the RSA digital
    signature value embedded within the PE
    file (after unsigning it with the
    public key). If the values are
    identical, the file’s contents haven’t
    been tampered with, and you know that
    you have the public key that
    corresponds to the publisher’s private
    key. In addition, the system hashes
    the contents of the assembly’s other
    files and compares the hash values
    with the hash values stored in the
    manifest file’s FileDef table. If any
    of the hash values don’t match, at
    least one of the assembly’s files has
    been tampered with, and the assembly
    will fail to install into the GAC.

    Well, here how it works.

    When you compile the assembly noting that you want to sign it with already generated public/private key pair file the compiler computes the hash of the assembly (also computes hashes for each file in the assembly and stores the values along with file names in FileDef table) then it signs the hash value with private key and embeds public key in manifest for that assembly.

    Now in runtime when the application (assembly) tries to load that signed assembly the assembly is again hashed then CLR gets the public key from the assembly manifest and decrypts the RSA sign and compares the hash value with the sign value. If they are the same than nothing was changed.

    • 0