Strong Names and Web Assemblies

[Toby Considine]

I have an assembbly that consists of several .NET DLLs, some of which I
compile in advance, some of which customized for the indivudual user
(skins). On machines that I has control over, no problem. As soon as I
deployed them on publicly hosted sites, I had to add strong naming lest I
get security exceptions.

The service DLL is now strongly named, compiled, and placed in the Site BIN
directory, just as it was before.

Here is the problem.

How do I compile the Web app to be strongly named? Using the [barely]
documented features described in the Auto-generated AssemblyInfo.cs, I get:

// For local projects, the project output directory is defined as
// <Project Directory>\obj\<Configuration>. For example, if your
KeyFile is
// located in the project directory, you would specify the
AssemblyKeyFile
// attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
// For web projects, the project output directory is defined as
// %HOMEPATH%\VSWebCache\<Machine Name>\<Project
Directory>\obj\<Configuration>.

I can figure out how to comile it locally.

This leaves me at a loss as to where I should put the snk on a remotely
hosted site.

thanks

tc

 

[Chris Jackson]

You are compiling on the user's machine? You only need the key pair during
compilation - the public key (which is the only key the end user should ever
see) is placed directly in the compiled file.

One thing you don't want to do is post your private key (and an snk file
contains the full key pair) because then everybody can compile using this
key, and it would appear as if they are you.

 

[Toby Considine]

Perhaps I misinderstnad your question. My app has two parts.

One - business logic, compiled locally by me and placed in bin directory of
web site on shared hosting machined.

"Skins" consisting of ASPX's/ASCX's on remote machine. It is my
understanding that each time the ASPX's are changed, the site modified, the,
the JIT compile funtion of DOT/NET takes over and a new dll is created.

BTW, it appears that this also happens in IIS after a restart, causing the
first load of ASPX-based apps to be characteristically slow.

When I do standard FORMS/based authentication, I get Security Exceptions
thrown off by MSCORLIB. MSCORLIB is being asked about the current
authetication state by the precompiled "LOGI" DLL. It is my understanding
that is addressed by using a SNK file, generated in the usual way before the
DDL is ever deployed.

The probelm is that "On-The-Fly" DLL. I can't seem to prevent it. It is
compiled on the fly after each change. It does not like the new SNd DLL.
- Do I need to tell that new App to trust the new StrongNamed DLL?
- IF so, should this be by reference to the "Public" key only (well
probably).
- How do I refernece that Public Key, then, in the remote compile?

Hope this is clearer.

tc

You are compiling on the user's machine? You only need the key pair during
compilation - the public key (which is the only key the end user should ever
see) is placed directly in the compiled file.

One thing you don't want to do is post your private key (and an snk file
contains the full key pair) because then everybody can compile using this
key, and it would appear as if they are you.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

I have an assembbly that consists of several .NET DLLs, some of which I
compile in advance, some of which customized for the indivudual user
(skins). On machines that I has control over, no problem. As soon as I
deployed them on publicly hosted sites, I had to add strong naming lest I
get security exceptions.

The service DLL is now strongly named, compiled, and placed in the Site BIN
directory, just as it was before.

Here is the problem.

How do I compile the Web app to be strongly named? Using the [barely]
documented features described in the Auto-generated AssemblyInfo.cs, I get:

// For local projects, the project output directory is defined as
// <Project Directory>\obj\<Configuration>. For example, if your
KeyFile is
// located in the project directory, you would specify the
AssemblyKeyFile
// attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
// For web projects, the project output directory is defined as
// %HOMEPATH%\VSWebCache\<Machine Name>\<Project
Directory>\obj\<Configuration>.

I can figure out how to comile it locally.

This leaves me at a loss as to where I should put the snk on a remotely
hosted site.

thanks

tc

 

[Chris Jackson]

If you are using ASP.NET, and hence have code behind, then there are two
times when pages are compiled. Your code behind is compiled before you
deploy, and your pages themselves are compiled when you access them. (When
the last session is dropped, then the application is shut down, and you must
recompile the aspx page at this point.)

I am unaware of a way to strong name the compiled code that is dynamically
generated. (That doesn't mean it doesn't exist, just that I don't know about
it.)

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

Perhaps I misinderstnad your question. My app has two parts.

One - business logic, compiled locally by me and placed in bin directory of
web site on shared hosting machined.

"Skins" consisting of ASPX's/ASCX's on remote machine. It is my
understanding that each time the ASPX's are changed, the site modified, the,
the JIT compile funtion of DOT/NET takes over and a new dll is created.

BTW, it appears that this also happens in IIS after a restart, causing the
first load of ASPX-based apps to be characteristically slow.

When I do standard FORMS/based authentication, I get Security Exceptions
thrown off by MSCORLIB. MSCORLIB is being asked about the current
authetication state by the precompiled "LOGI" DLL. It is my understanding
that is addressed by using a SNK file, generated in the usual way before the
DDL is ever deployed.

The probelm is that "On-The-Fly" DLL. I can't seem to prevent it. It is
compiled on the fly after each change. It does not like the new SNd DLL.
- Do I need to tell that new App to trust the new StrongNamed DLL?
- IF so, should this be by reference to the "Public" key only (well
probably).
- How do I refernece that Public Key, then, in the remote compile?

Hope this is clearer.

tc

You are compiling on the user's machine? You only need the key pair during
compilation - the public key (which is the only key the end user should ever
see) is placed directly in the compiled file.

One thing you don't want to do is post your private key (and an snk file
contains the full key pair) because then everybody can compile using this
key, and it would appear as if they are you.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert

lest

I

get security exceptions.

The service DLL is now strongly named, compiled, and placed in the

Site
BIN

directory, just as it was before.

Here is the problem.

How do I compile the Web app to be strongly named? Using the [barely]
documented features described in the Auto-generated AssemblyInfo.cs, I get:

// For local projects, the project output directory is defined as
// <Project Directory>\obj\<Configuration>. For example, if your
KeyFile is
// located in the project directory, you would specify the
AssemblyKeyFile
// attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
// For web projects, the project output directory is defined as
// %HOMEPATH%\VSWebCache\<Machine Name>\<Project
Directory>\obj\<Configuration>.

I can figure out how to comile it locally.

This leaves me at a loss as to where I should put the snk on a remotely
hosted site.

thanks

tc