Can strong naming an assembly be used to verify the assembly author?

Question

I have been reading the proper article in MSDN, Strong-Named Assemblies and a related Stack Overflow question, Checking an assembly for a strong name.

Answer 1

Authenticode relies on a third party certificate authority for certificate validation. Strong naming works like a self-signed certificate and can be treated as such. It does use standard digital signatures, but the problem lies in verifying the public key of the assembly author is indeed valid. If you get it separately via a trusted channel from the author and you trust that channel, then yes, you can verify it just like a self-signed certificate.

As long as you are sure the strong name private key is kept safe by the author and you know author's public key, you can make sure it's not tampered with (to the extent you can make sure a digitally signed email is not tampered with). By the way, don't get me wrong: the quote is completely true and an attacker can easily resign the assembly or remove the existing signature. However, the resulting assembly will have a **different* digital signature that can be checked against the original (if you have the original public key).

In this case, it's similar to a self-signed certificate. If you can somehow be sure of the author's public key, you can verify the authority. However, unlike Authenticode which relies on a certificate authority, there is no straightforward, system-defined, way to distribute the public key.