What is the difference between a strong signed assembly and a publisher certified assembly?
Strong Signed
To strong sign an assembly you need to generate an encryption key and use this key to sign the assembly. The signing process generates a hash of the generated code and attaches this using the key to the end of the assembly. Whenever the CLR loads the assembly it notices the signing information and uses it to check that the code generates the same hash code as when it was originally compiled. If the hash code no longer matches then the assembly has been tampered with and so the CLR refuses to load it.
Placing an assembly into the global assembly cache (GAC) requires you strong sign the assembly. This is a reasonable precaution because there might be many different applications that are using the GAC assembly and you want to be sure it has not been modified to inject some malicious code.
However, just signing the assembly is not very secure. Anyone can remove the signing information from an assembly, modify the assembly and then sign it again. They cannot sign it with the same original encryption key because, hopefully, that is safely tucked away at the publishers. But they can generate a new key and use that is sign it with instead.
So the second half of the equation is the reference in the calling assembly. When the calling assembly was compiled it embedded a public token for the signed assembly into its reference information. So now when the application loads it not only knows the name of the assembly it wants to load but also it knows that it should be signed with a particular key.
This prevents the attack just mentioned. If someone takes the System.Windows.Forms assembly in the GAC, injects some dodgy code and then resigns it your application is protected. Your application starts up but the CLR loader says the GAC assembly is not signed with the right key to match the one you expected from compile time. Hey presto the load fails and you know something is wrong.
Publisher Signing
The internet adds a whole new level of threat to your machine. Any bored developer could write a Trojan horse application and offer it for download from a benign looking website. That free Spyware Remover application actually installs a key logger to grab your bank account details. They have signed all the assemblies in the application so it looks well behaved. But all the signing does is tell you the Trojan horse application is intact and in the original condition intended by the nefarious developer!
This is where the trust based security model comes into play. Whenever you download an application, or installer, from the internet and then try to run it Windows will tell show you a warning. Asking you if you really want to run this software and then present you with information about the publisher of the software. If you trust the publisher then you would let it run, it you don’t trust the publisher or if there is no publisher details at all then you should not run it.
As a publisher you can get hold of a publisher certificate from one of the big providers such as VeriSign and use that to sign the application/installer. Then the downloader gets shown you publisher details and can be sure it is from a trusted source and has also not been tampered with since it was created.
Component Factory has its own certificate from VeriSign and we sign all our installers so you can be sure it is in the original intended state and has not been tampered with.
Publisher Signing Assemblies
As well as publisher signing your application/installer you should also publisher sign all of the individual assemblies as well. This has a couple of benefits.
First of all the end user can right click any of your assemblies and see that it is signed and examine the certificate details. This should give them a nice cozy feeling and allow your support people to show that it is not your assembly that has been hacked on your end users infected machine.
But the most important benefit is that it allows your assemblies to be used by an application that is undergoing Vista certification. The certification requirements to get the Vista logo require that your application, and crucially all the assemblies that it references, be publisher signed. As a component vendor it is essential that our own assemblies are therefore signed so that applications built by our customers can pass the logo requirements.
Component Factory Assemblies
This requirement only came to light today when a customer needed publisher signed copies of the Krypton 2.5.1 release so they could progress with Vista logo certification. If you also need them just fire off an email to use and we can provide them on demand. All future releases of Krypton will have them signed automatically as part of the build process.
