tags:

views:

176

answers:

1
+1  Q: 

When should you protect a strong name key file with a password?

In the visual studio project settings you can choose a strong name key file for signing the assembly. When creating a new one you can choose to protect it with a password. When should you do this? And when should you not?

I am thinking that it could for example be not so smart to protect it with a password if the project is an open source project hosted on Codeplex or similar. Or should it still be protected? Will people be unable to download the source and compile it if the key file is protected? Or, how does this work exactly?

+1  A: 

In general, you should protect it with a password if you don't trust the people with access to it. Anyone with access to the key file can create an assembly with your strong name (unlike authenticode, they're not impersonating you, but they can get they're assemblies to load instead of yours)

As for the open source scenario you described, people can always compile the code - they simply create a new key file, but the assemblies they create will not be loaded by assemblies that try to load your assemblies.

On Freund  2009-10-22 09:15:45
Ooh. So, if I have two assemblies which are signed with strong name keys. If I then add a reference from one to the other, it will only work with the one that was signed with the right key?
Svish  2009-10-22 12:08:53
If you reference a strong name assembly, it cannot be replaced at run-time with an assembly signed with a different key (not entirely correct, but let's leave the more advanced stuff out for now)
On Freund  2009-10-22 13:25:28
And by *at run-time* you mean when the application is run, not while it is running, right? (Just to be sure I don't misunderstand :p)
Svish  2009-10-22 13:48:01
I'm not sure I understand your distinction between run and running... What I mean is that when the assembly reference is resolved, the chosen assembly must have the same strong name.
On Freund  2009-10-22 14:12:07
My *while running* I meant swapping out the assembly after it had been resolved, while the application was running. But I think I got what you meant now :)
Svish  2009-10-22 14:19:57

related questions

What is the best way to do unit testing for ASP.NET 2.0 web pages?
TestDriven.NET is not running my SetUp methods for MbUnit
Automated release script and Visual Studio Setup projects
Setup Visual Studio 2005 to print line numbers
What is the best way to deploy a VB.NET application?
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How can I create Debian install packages in Windows for a Visual Studio project?
Plugin for Visual Studio to Mimic Eclipse's "Open Type" or "Open Resource" Keyboard Access
How to generate getters and setters in Visual Studio?
Do you have any recommended add-ons/plugins for Microsoft Visual Studio?
What is keyboard shortcut to view all open documents in Visual Studio 2008
Visual Studio 2008 debugger already attached work-around
Add Custom Tag to Visual Studio Validation
ASP.NET MVC Without Visual Studio
Are Multiple DataContext classes ever appropriate?
Folders or Projects in a Visual Studio Solution?
What's a good book for learning ASP?
Integrating Visual Studio Test Project with Cruise Control
.Net XML comment into API Documentation
Visual Studio Setup Project - Per User Registry Settings
.NET Testing Framework Advice
Automatically update version number
Build for Windows NT 4.0 using Visual Studio 2005?
ASP.NET, Visual Studio and Subversion - how to integrate?