snk vs. code signing certificate

Yaron Naveh picture Yaron Naveh · Aug 22, 2010 · Viewed 14k times · Source

In my organization we use snk files with strong names assemblies. We generate the snk ourselves.

In addition we use a code signing signature on the binaries. We get the pfx from Verisign.

  • What is the difference between these two processes?
  • Isn't it a problem that the snk is not recevied from Verisign also?

Answer

Dave Swersky picture Dave Swersky · Aug 22, 2010

The snk and pfx are used for two different purposes. The snk is used for strong-naming, which uses a key pair to uniquely identify an assembly. The pfx is for code signing, which is a similar process but one that is intended to prevent malicious tampering with assemblies that are distributed publicly. Using both on an assembly both strong-names AND signs it.

It's OK to generate your own SNK file as long as you keep the private key secure. The PFX file you get from Verisign allows you to sign the assembly using a key secured by a third party. This is an additional layer of security that lets users of your assembly know that it has not been tampered with.