Signing assemblies - basics

Question

What does it mean to sign an assembly? And why is it done?

What is the simplest way to sign it? What is the .snk file for?

Answer 1

Signing is there to prove that the assembly is created by a known person or company, and not changed by anyone else.

When signing an assembly a hash is created and signed with a private key. If the assembly is changed, for instance by malware, it is easy to find out by checking the hash and the signature using the public key (which is included in the assembly).

Signing the assembly is therefore to protect the target system from being hacked. You could turn off signature checks in the .NET configuration. It is in the interest of the end user to have signatures checked. Signatures are checked when loading assemblies.

The snk file holds the private key to sign the assembly, and the public key to check it. It needs to be protected. If someone gets your private key, he could sign assemblies as if they where signed by you.

The simplest way to sign it is to choose the snk file within the project settings.