I don't usually bother with signing my .NET assemblies, so I don't know much beyond the basic mechanics of it. For a small project I'm working on, it was n开发者_如何学Cecessary to sign, and I created a new key, protected with a password.
I expected to be prompted for this password at some point in time when recompiling the assembly, but I've never needed to enter it anywhere after creating the key file. This seems to defeat the purpose of password protecting the key in the first place.
I imagine the password is cached somewhere, but where? Is it in some kind of private storage? If I give someone else my entire solution directory with the key file in it, will they be prompted for the password I entered, or will they be able to sign the assembly without the password?
There are lots of articles on the internet about strong name keys and using them, but for some odd reason they all gloss over how the password is actually used by Visual Studio.
Update: Restarting Visual Studio (and Windows) has no effect, so the caching appears to be persistent. Deleting the .suo file does not change the fact that no password is needed to sign the assembly.
See the documentation for the Create Strong Name Key Dialog Box.
The password information is stored in your computer's cryptographic storage database.
Other information from CLR Inside Out: Using Strong Name Signatures.
You can install the private key in a key container using restrictive access control lists (ACLs) to prevent unauthorized access to the key container. Alternatively, you can store the private key on a smart card or other separate hardware device. The sn.exe tool allows you to use a different cryptographic service provider (CSP) for signing. Take a look at the –c option in the documentation for sn.exe.
精彩评论