Strong Naming or Authenticode signing a new assemb

2019-07-24 08:45发布

问题:

I've been asked by an end user to add "Strong Naming" to one of my components, because they want to reference it from a strong named assembly.

I already have an authenticode certificate, so I'm wondering - to make my component usable by their strong named component, is it enough for me to just sign the component with my authenticode key?

Or do I have to "strong name sign" the assembly (using Al.exe) for it to be considered "Strong named"?

I cannot find any "strong name vrs authenticode" documentation that is explicit regarding this.

回答1:

You don't "have" to use strong naming, regardless of whether you apply an authenticode signature. Doing so is a choice, and it is usually completely orthogonal to the choice to apply an authenticode signature. If you could provide more information concerning your strong name signing goals, it would be considerably easier to give you a definitive answer regarding whether these would be addressed via an authenticode signature...


Updated following addition of information to question...

An authenticode signature will not cause an assembly to be considered strongly named. In order for a strongly named assembly to be able to reference your assembly, you must apply a strong name signature (regardless of whether your assembly also happens to have an authenticode signature).



回答2:

Strongnaming and Authenticode are used for different purposes. Strongnaming is mainly used to prevent assembly spoofing (replacement) and for "binding" several assemblies together so that all of them use the predefined version of each other. Authenticode is used to authenticate the author of the PE module (Win32 EXE, DLL or .NET assembly etc). Consequently you can use any or both of them in parallel.

A note: Authenticode signature validation can take long time (seconds or even dozens of seconds) in some cases, and depending on your application architecture this can be inappropriate.