Do you check in .snk files ?
So I'm about to publish my dll to Nuget and I'm researching recommended practices to do that.
From what I found, first I'll generate a key pair using sn.exe tool, then use this to sign my dll to produce a strong named assembly.
However, I thought since the .snk file contain both private and public key, I should not check it into the source control. But I saw some opensource project actually check this file in (example: nhibernate-core on github)
So what's the correct practice here ? Do I check the .snk file in ? If I don't, where should I keep it securely ?
8 Replies
strong name signing is not a security feature. Checking in the snk file is fine.
In reality you probably don't even need to bother with strong name signing. It's kind of an outdated concept.
Is there any reason people still doing it ?
If they are still targeting .NET Framework and doing things like installing into the GAC, or it's enforced by corporate policy, maybe.
https://github.com/dotnet/runtime/blob/main/docs/project/strong-name-signing.md
with a nice FAQ
similar guidance and recommendations exist here: https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming
as well as https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named, which covers its not a security feature
it provides only identity
and note the recommendations for
public signing: https://github.com/dotnet/runtime/blob/main/docs/project/public-signing.mdSo if some of my customers are using strong named dlll and they would like to refer to my dll, I had to make my dll strong named, right ? Since strong named assemblies can only refer to other strong named assemblies ?
So the default is: "doing it is better than not doing it"
that only matters for .NET Framework where it is checked
for modern .NET, there is no validation of strong names only referencing strong names
(as per the docs linked)
Ideally your customers are not strong name signing, which would obviate this whole problem. But if they are, then yes, you'll want to strong name sign your own assemblies.
See the links Tanner posted. The published recommendation is that if you do need to strong name sign, you keep your .snk file in the same source repo as the rest of your code.
There are obviously exceptions to every rule, but it's one of those things where you'll know without a shadow of a doubt that you're an exception. (In other words, if you have to ask, or if you have even the slightest bit of uncertainty, you're not an exceptional case.)
Thanks folks