Code sign .NET assemblies or just the setup?

Question

My company finally bought a code-signing certificate.

I have a WinForms application (1 exe and several dlls), all assemblies are already signed with a strong name. The entire application is then packaged into a msi installer. Then I use NSIS to pack the msi, the bootstrapper and the prerequisites (Framework, SQL CE...) into a single setup.exe.

Obviously my setup.exe needs to be signed, to avoid the "scary" UAC prompt. Is that enough or would you also sign the other files, especially the .NET assemblies?

Another project that belongs to the application is a Windows serivce. Would you sign that assembly?

Answer 1

You don't have to but its not a bad idea.

Authoring a Fully Verified Signed Installation

You can use these guidelines to cover an entire Windows Installer installation by a digital signature.

Authors of Windows Installer installations must adhere to the following to ensure that all parts of the installation are covered by a digital signature:

• Use internal cabinet files, or use signed external cabinet files and correctly author the MsiDigitalSignature table and MsiDigitalCertificate table.
• Use only custom actions stored within the package or installed with the package.
• Sign the installation package.
• Include an MsiPatchCertificate table in the package. To enable User Account Control (UAC) Patching, this table must contain information used to identify the signer certificates used to digitally sign patches. UAC patching enables the author of the installation package to identify digitally-signed patches that can be applied in the future by non-administrator users.

The instructions above cover what you need to do for the installer itself. Signing the assemblies is up to you and is somewhat of a separate issue and has separate concerns and benefits. Please read Strong name assemblies can keep you out of DLL Hell for more information about signing assemblies.