Signing your assembly, newbie guide

Follow these easy steps. The first 4 steps you only have to do ONCE in your life. Step 5-7 you only have to do ONCE per project.

  1. Open a command prompt
  2. Type vsvars32.bat (enter) or navigate to the .NET bin dir
  3. Type: sn -k mykey.key (enter)
  4. Move mykey.key to a folder where it gets backupped daily, for example: c:\myfiles\keys\
  5. Open your code's solution in Visual Studio.NET
  6. Open the AssemblyInfo class in the editor
  7. For the attribute AssemblyKeyFile(), specify instead of the default "", the full path of your key, in our example this is "c:\myfiles\keys\mykey.key", so the attribute in full will be:
    C#: [assembly: AssemblyKeyFile("c:\\myfiles\\keys\\mykey.key")]
    VB.NET: <Assembly: AssemblyKeyFile("c:\myfiles\keys\mykey.key")>
  8. Compile your solution. After compilation, your assembly is signed with your strong key.
  9. To congratulate yourself with this big achievement, walk to the fridge and pop open a fresh Heineken.

*Pfew* I have to lay down now to take some rest after this long, thorough lecture. Sorry people, but you don't need a plugin which requires registration to do this easy stuff. If you can program software, you can sign your assembly. If not, what are you doing near that keyboard? ;)

The signed assembly can be freely distributed to your clients/customers. They can reference it in their .NET projects without having to worry about public keys, public tokens or other hard to understand material. The world is already very complex, let's not make the easy stuff look like it's very complex also.

Update: Thanks to 'Prima Donna' Robert Mclaws for pointing to a typo in the title.

Kereltje, zodra jij zo goed Nederlands lult als ik Engels, heb je recht van spreken.


  • This is groovy. I've been wanting to look this up for a while but I've been too lazy. &quot;Signing your component for dummies.&quot;

  • Excellent. I was thinking the same thing the other day when I read our infamous know-it-all saying how hard it was to do. :)

  • Heh, I wouldn't expect anything else than lazyness from a person from :D ;)

  • You no longer have to register to download my tool. Thanks for the plug.

  • Not every bad publicity is 'good', Robert. (and why is my comment removed from the commentslist under your tool? Tssk.. censorship... )

  • Yes. It's easy, but why the heck not use a plugin? Why not make life easier? is that such a bad thing? Sure, I *could* write property getters and setters manually if I *wanted* to, but I use CodeSmart so make it fast and simple. Is that bad as well?

  • LOL, I was thinking about the same when I read the huge announcement.

    Nice job, do I have to register in the future to read your blog ;-) ?

  • Peter: just subscribe to the RSS feed in your RSS reader, no registration required ;)

    Roy: plugins can be buggy, can mess up your code, can crash the IDE, can corrupt files and more. And that for just 1 line of code. :D

    I don't use any plugins anymore, after I wrote some macros to create regions and properties. I know these will work without hassle. But thats choice. If you want to use a plugin for 1 line of code that is always the same in every project you create, go ahead, it's a free world (for some).

  • Using plugin for adding key file name to AssemblyInfo class????


    btw, first two steps could be replaced by

    1. Run Start/Programs/Microsoft Visual Studio .NET (2003)/Visual Stuio .NET Tools/Visual Studio .NET (2003) Command Prompt

  • Ah good one, Oleg :) The less steps, the better :)

  • Just to play devil's advocate here, A macro is the same as a plugin for this discussion. It makes your life simpler. Regardless of the usefulness of Robert's plugin, You can't disregard &quot;simple life mechanisms&quot; so easily, can you? Sure, for one line of code it would seem a bit too much, but that's not usually the case.

  • Roy,

    it's not really the fact someone creates a plugin, it's more the fact there's made a *huge* announcement for a solution to a problem while there is no problem. It's really not a big deal to sign an assembly.

    What would you say when I created a plugin that for example adds the statement &quot;using; to the top of my page? Basically that's what it does.

  • Maxim: you mean a wrapper around sn -k? :)

    Christophe: good point. Although I think if you don't have a security officer it's not that big of a deal, but if you do, then indeed the developer should use delayed signing described in your article.

    The fuzz here was more about a big announcement of a plugin to do something very simple :) The philosophy behind signing assemblies, (when to sign, when not to sign), installing in GAC or not, is a big subject, however if you've decided to do so (for example to be sure signed applications can use your assembly), the steps to sign the work are very easy :)

  • I agree with Frans and Joe Coder. For gosh sakes this is so frigging basic and it takes all of 30 seconds. This is chapter 1 of Richter for gosh sakes. How can anyone do aything in .NET if they don't know the most basic things like this? You don't need an add-in to do this as it is uncommenting two lines in AssemblyInfo.

  • You guys are all primadonnas. The first part of my post said I had 30 e-mails in three days saying that people didn't know what it was. OBVIOUSLY there was a need for it SOMEWHERE, or I wouldn't have done it. Buy you guys are all so friggin brilliant... that's why it wasn't written for you, or the 2000-some-odd people that understand it. It was written for the 6 MILLION other .NET developers who are just getting started in .NET, and don't get it. Not everyone is as smart as you are.

    And BTW, It's not Chapter 1 of Richter. The VB.NET Security Book does not cover it until Chapter 10. And the fact that you think the problem is as simple as one line of code, means you don't REALLY understand what's going on under the covers.

    And in regards to the add-in not dealing with delay-signing... most shops can't even understand regular signing... to them, delay signing is next to impossible. You have to start somewhere.

    Developers look up to you guys for advice, for leadership. Is this being a leader? Leaders don't tear people down. When you post blatantly negative attacks on someone, it makes other people not want to be a part of this community.

    Speaking of starting somewhere, I think you all forgot where you started. There was a time once where you didn't know what strong-name signing was either (it wasn't that long ago, since it came around with the Framework). I doubt anyone derided you for being stupid and not knowing how you did it. Sam, you just single-handedly insulted 6 Million VB.NET developers who don't get the same signing comments that are in the AswsemblyInfo.vb file. Are you calling them stupid?

  • Almost forgot. Singing your assembly, huh? I like singing songs, personally, but i can see how singing an assembly can be fun too.

  • The first thing I learned as well when I started .Net (and I started with notepad, MSDN, and Richter) was how to sign and delay-sign an assembly. The assembly, and how it works, how to use it, etc. is fundamental to understanding .Net.

    I understand the reason you felt you needed to create the tool, but I disagree that it was necessary to create a tool when a simple explanation like Frans' would have sufficed. If the comments are not available in VB.Net (as it is in C#, which Sam and I use daily), then I would have answered those 30 emails you mentioned with a blog post explaining the issues. It helps produce better developers who understand why, rather than run another wizard and still have no idea what's going on.

    Working with Sam day-in and day-out, I see that it is ingrained in him that developers understand &quot;why&quot; more than &quot;what&quot;. He is not a &quot;prima-donna&quot;, as he devotes hours of his time helping this client among many others in the .Net community to understand how .Net works. Sam was not trying to insult the 6 million developers -- instead, he was trying to help them understand why things work the way they do in .Net. Even the VB.Net Security book you mention (by Eric Lippert) goes through many details from the front-end to explain to the VB.Net developer why security is the way it is in .Net. He does all of that without running a single wizard. He mentions nothing about VB.Net because its immaterial to understanding the fundamental principles of .Net.

  • Can I just skip to Step 9 and repeat it a few times?

  • @Robert: come on man, pointing out a typo from someone who's native language is not English??

    It just shows you can't beat him on arguments.

    I'd like to see you post in Dutch, and I promise I won't point out any typo if I can just understand what it's about.


    LOL @ Shannon :)

  • Shannon: hehehe :) You could of course do that, but my experiences are that, if you take step 9 too many times, it's adviced not to take any of the previous steps after that ;)

  • WARNING to mr. McLaws: do not ever post a reply to my blogs again. EVER.

  • Peter:

    &quot;What would you say when I created a plugin that for example adds the statement &quot;using; to the top of my page? Basically that's what it does. &quot;

    If I remember correctly there a a very cool plugin somewhere that allows you to automatically add missing import (using) statements to your file when you forget to add the. Something like, you time Thread, mark the work and make the shortcut keys, and the using System.Threading line appears automagically. simple, time saving, and yes, does not take a genius to figure out. Still, iot's a wonderfull time saving plugin. I would not call such as plugin useless.

  • Ugh, my typos are only enhanced on a norwegian keyboard, as my last comment would show..

    I meant to say that you highlight the word &quot;thread&quot; and activate the plugin, to automatically have a &quot;using System.Threading&quot; line added to your code.

    Hope that's more understandable.

  • Damn, you nitwits!

    Arguing about whether or not to write an add-in...

    BE HAPPY that you're all .NET coders!

    I still have to experience the terror of Java, ever tried to sign a JAR file?!? you need an entire tool for that! a plugin isn't even sufficient :P

    We're gonna switch to .NET soon :D

    But plz guys, don't argue about something so ignorant... both solutions are good :) surely a user can decide whether or not to use an add-in...


    -- Rob.

    En ja, hij had in inderdaad zijn bek moeten houden over spellingsfouten ;)

Comments have been disabled for this content.