Strongly named assemblies in .NET explained

When the assembly is strongly-named, a “hash” is constructed from the contents of the assembly, and the hash is encrypted with the private key. Then this signed hash is placed in the assembly along with the public key from the .snk.

Later on, when someone needs to verify the integrity of the strongly-named assembly, they build a hash of the assembly’s contents, and use the public key from the assembly to decrypt the hash that came with the assembly – if the two hashes match, the assembly verification passes.

It’s important to be able to verify assemblies in this way to ensure that nobody swaps out an assembly for a malicious one that will subvert the whole application. This is why non-strong-named assemblies aren’t trusted in the same way that strongly-named assemblies are, so they can’t be placed in the GAC. Also, there’s a chain of trust – you can’t generate a strongly-named assembly that references non-strongly-named assemblies.

Source: .net – What is a .snk for? – Stack Overflow

Leave a Reply