When to Delay Sign Assemblies

When to Delay Sign Assemblies

In a workplace where many developers are working on a project, there is every possibility of the private key of the assembly being mishandled. Hence in a development environment, it becomes mandatory to maintain the integrity of the system during tests and build. This is where delay signing proves significant.

What is Delay Signing?

Delay signing is a process of generating a partial signature during development with access only to the public key. The private key can be stored securely and used to apply the final strong name signature just before shipping the project.
How to delay sign assemblies?
To use delay signing, follow these five steps:
  1. Extract the public key from the key pair. We can use the tool sn.exe for this.
    sn - pc keypairfilename ExtractPublicKey.pk
  2. The generated public key (ExtractPublicKey.pk) can be used by the development team to delay sign assemblies. This is a stage when .NET Framework will not allow us to load the delay-signed assemblies as they are yet not fully signed. Hence it becomes vital to configure our development machines such that it skips strong name signature verification for our key.
    Use C# compiler to delay sign assembly as follows:
    csc /delaysign+ /keyfile: ExtractPublicKey.pk test.cs
  3. To configure the .NET Framework to skip strong name signature verification for the test.exe assembly on development machines:
    sn - Vr test.exe
    We can also configure our machine to skip all assemblies delay signed with the same key as the test application. The following command will do this:
    sn - T test.exe
    The execution of the above command will give us the public key token.
    Public key token is b03f5f7f11d50a3a
  4. Execute the following command to skip strong name verification for any assembly using the public key token generated above:
    sn - Vr *,b03f5f7f11d50a3a
    Please note that skipping strong name signature verification is something that should only be done on development machines. It should never be done in a production environment as it opens up those machines to assembly spoofing attacks.
  5. The fifth step is the final step taken before the deployment of the project to the production. We will use the securely saved private key to generate the final full strong name with sn.exe tool. 
    sn - Rc test.exe keypairfilename
    This completes the process and adds the full signature to the assembly. A pointer to this step is that our delay-signed assemblies now don't need to be rebuilt. Any assemblies that had a reference to the delay-signed assembly also had access to its public key and are therefore able to create a full assembly reference, even though the assembly did not have a full signature.


Delay signing the assemblies is an easy and secure way of protecting the assemblies in the development environment. However please note that with delayed signing on, during the testing environment none of the strong name signatures are verified. So there is a trade-off. But I have a solution to this as well, the term is Test key signing that I'll discuss in my next article...