tags:

views:

430

answers:

2
+5  Q: 

Should interop assemblies be signed?

We have a set of COM components developed in VC++. When a reference to such component is added to a .NET project Visual Studio generates an interop assembly. We have a set of such assemblies now.

While running our daily build we sign all the produced binaries with a digital signature. Interop assemblies are not signed since we don't feel we are the authors - anyone can use Visual Studio and produce the same assemblies.

Should we sign the interop assemblies as well? Should we also sign them with a strong name (sn.exe utility)? What are the reasons to do so?

+5  A: 

This has been a tricky balance for some time. The issue comes from the fact that you need to distribute your Interop assemblies with your code and you may be signing your own assemblies. If you sign your assembly then all the assemblies it references must also be signed - including the Interop assemblies. So you have to sign them.

If you are distributing a standalone application then there's no risk and you should just go ahead and sign the assemblies to make your life easier.

If you are distributing component libraries, things can be a bit trickier since another developer using your libraries might generate their own interop assemblies but sign them with their own keys. This causes all sorts of naming and dependency issues.

Depending on how complex your Interop assemblies are - you can generate the proxy code into a separate .CS/.VB file and compile it directly into your assembly. Then you won't have to worry about strong name issues.

Paul Alexander  2009-04-28 09:23:07
I've posted a follow up question about generating COM interop proxies to C# source code: http://stackoverflow.com/questions/1058289/how-do-i-generate-com-interop-proxies-into-c-source-code
Manga Lee  2009-06-29 13:32:36
+1  A: 

We use Sn.exe to strong name our interop assemblies produced by the tools as wrappers around COM objects. We need to do this as the assemblies loading them are signed, hence they need to be signed.

To generate the interop assemblies we use:

tlbimp Some_COM.dll /delaysign /publickey:"Some_PublicKey.snk" /out:Some_COM2Lib.dll"

Obviously remove /delaysign if you are fully signing.

As for not authoring the assmeblies, this might be the case, but you are responsible for them. You want to ensure that they are not replaced (accidently or not) by anyone else, so you probably should apply the same level of signing/strong names as you apply to your other code.

Colin Desmond  2009-04-28 09:26:02

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?