Assembly signing, certificates, and key files - are these needed?

Question

I would like to start signing my assemblies so that they can be deployed to the GAC and shared/re-used across multiple applications, etc.

Microsoft provides a lot of documentation, but it doesn't really explain it to me - especially once you add ClickOnce deployments in there.

There is a key and a certificate: Can I create these myself using sn.exe and makecert.exe, or are these tools just for development and I need to get them from a CA (Verisign for example)?

What is the difference between the key and the certificate?

Can I re-use the key and certificate for all my applications (this is what I want to do)?

What name (file extension) do I give a key/certificate? ClickOnce automatically creates a .pfx file - is that what to create with sn.exe or should it be .snk?

Given that all my applications are internal to the company, and we've made the decision NOT to use ClickOnce but deploy through MSI files - do I need to worry about this at all?

I don't NEED to deploy files to the GAC - it's just something I've been reading up on.

Answer 1

All you need to deploy to the GAC is a strong-name signature. Strong-names are used by the .NET runtime to identify an assembly and include a name, version, and digital signature. A strong-name key file (.snk) can be generated by the strong-name tool (sn.exe). Once you have a key file you can use the tool to sign an assembly manually or change your project settings to automatically sign the assembly on build.

There is no certificate authority (CA) involved in verifying these digital signatures. Nothing prevents an assembly from being resigned with a different key, it just wouldn't be your key. I would also note that they are non-revocable so you should keep them safe.

You certainly can use the same key for all assemblies you publish.

More on strong-name signing.

Digital signatures (e.g. Authenticode) are a different mechanism that can identify assemblies and have some additional features. They can be used to verify that an assembly hasn't been tampered with and the certificates are revocable by the CA. Makecert.exe is a developer tool for creating internal certificates for testing.