Re: Code signing (signcode versus strong name)?

From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 09:40:08 -0500

---- Strong Names --------
A strong-name is a simple assembly-embedded key with associated
hash value.
It is only known and used by .NET infrastructure to guarantee
integrity, and required before placing assembly in GAC, or
if the assembly is application-specific, checked on each loading.

---- Authenticode Signatures ----

Authenticode signatures apply to any PE file (assembly or traditional
native .exe, .dll, .cat, .vbs, .cab etc..). They are based on CMS/PKCS #7
standards and are embedded in a MS-specific way. It is possible to verify such a
signature on a .NET assembly even on a WinOS without any .NET Framework
installed!
Authenticode signatures can be verified "out of band" in any OS (Win95 - Server 2003)
and Authenticode permeates every Win OS (and will continue to do so).

Authenticode signatures tie into the trust issuance ladder associated with PKI and
certificate stores (whereas strong-name has no explicit notion of any issuance or
associated trust model of the signer).

See also excellent article:
http://msdn.microsoft.com/netframework/default.aspx?pull=/library/en-us/dnnetsec/html/strongNames.asp

- Mitch Gallant
   MVP Security
   www.jensign.com

"FLO" <floriz@web.de> wrote in message news:O6FQl%23vFEHA.740@tk2msftngp13.phx.gbl...
> What is the difference between the following two ways of signing
> .net-applications?
>
> 1) I give the assembly a strong name.
> (By specifying a key-file in the AssemblyInfo.cs-File)/using sn.exe.
>
> 2) I compile the assembly without strong name.
> Afterwards I attach a signature to the binary using signcode.exe
> (like it is done for COM)
>
> Thank you
>
> Florian Zug