Strong Name and Authenticode Signature

Sometimes you will see a managed assembly have both strong name and authenticode signature and are confused about their differences. Simply speaking, they use different mechanisms to help users to judge if the assembly comes from a trustable source. Also, strong-name sign is only for .NET managed assembly, and Authenticode sign is for both managed and native assembly.

Strong-name Sign

There is a good article about strong name signature https://msdn.microsoft.com/en-us/magazine/cc163583.aspx. Simply there are a few points worthy note:

  • If an assembly is installed to GAC, this assembly has to be strong-name signed.
  • If the target application is strong-name signed, all the references must be strong-name signed too.

Note: if your assembly is delay signed with strong name, you have to install "Strong Name HiJack" Tool in order to run it. Also, if you  want to verify if it is strong name signed. Easy, you can use "sn.exe" (A command line too shipped with Windows SDK) by typing "sn.exe -vf myAssembly.exe"

Authenticode Sign

Authenticode uses chaining certificates in digital signatures to identify the "authentic author" of the assembly. Its mechanisms is that some publishers registerred their information in an organization which is Certification Authority (CA). The CA assigns a unique certificate to the assembly. However, CA can reovke the certificate if needed and this certificate is only valid for a period of time. Thus, authenticode sign has following features

  • The authenticode signed assembly is not always valid.
  • The authenticode signed assembly probably has a perfomance issue, because it needs to connect with network to download the up-to-date (List of Revoked Certificates) CRL to ensure the certificate is valid.