最佳实践签署.NET程序集?程序、NET
我具有由五个项目,每个编译以分离组件的溶液。现在我code-签约他们,但我pretty的肯定,我做错了。什么是最好的做法在这里?
I have a solution consisting of five projects, each of which compile to separate assemblies. Right now I'm code-signing them, but I'm pretty sure I'm doing it wrong. What's the best practice here?
登录每一个不同的密钥;确保密码是不同的 登录每一个不同的密钥;如果你想使用相同的密码 登入具有相同的键 在别的东西完全基本上我不太清楚什么是签名确实给他们,或者最好的做法在这里是什么,让一个更一般的讨论将是一件好事。我所知道的就是 FxCop的的大声呵斥我,很容易通过点击登录本次大会复选框来解决并生成使用Visual Studio(2008年),一个.pfx文件。
Basically I'm not quite sure what "signing" does to them, or what the best practices are here, so a more generally discussion would be good. All I really know is that FxCop yelled at me, and it was easy to fix by clicking the "Sign this assembly" checkbox and generating a .pfx file using Visual Studio (2008).
推荐答案
如果你唯一的目的是从吼你停止FxCop的,那么你已经找到了最好的实践。
If your only objective is to stop FxCop from yelling at you, then you have found the best practice.
签署程序集的最佳实践是什么,完全取决于你的目标和需要。我们需要像你打算部署的详细信息:
The best practice for signing your assemblies is something that is completely dependent on your objectives and needs. We would need more information like your intended deployment:
对于个人用途 有关企业网络的电脑使用的是客户端应用程序 在运行的Web服务器上 运行在SQL Server 下载在互联网上 在销售的CD中收缩包装 上传直入控制论的作用。 等通常你用code签名来验证组件来自一个特定的可靠来源,并没有被修改。 的这样每次使用相同的密钥是好的。的现在怎么信任和身份确定是另一回事。
Generally you use code signing to verify that the Assemblies came from a specific trusted source and have not been modified. So each with the same key is fine. Now how that trust and identity is determined is another story.
更新:如何这有利于您的最终用户,当你部署在网络中,如果你已经获得的从证书颁发机构软件签名证书。然后,当他们下载的组件就可以验证它们从 Domenic的软件商场的来了,他们也没有被修改或沿途损坏。你也将要被下载时签署的安装程序。这prevents警告,一些浏览器显示,它已经从一个未知的来源获得的。
UPDATE: How this benefits your end users when you are deploying over the web is if you have obtained a software signing certificate from a certificate authority. Then when they download your assemblies they can verify they came from Domenic's Software Emporium, and they haven't been modified or corrupted along the way. You will also want to sign the installer when it is downloaded. This prevents the warning that some browsers display that it has been obtained from an unknown source.
请注意,你将支付的软件签名证书。你得到的是认证中心成为谁验证你是,你说谁,你是值得信赖的第三方。这样做是因为信任的网络的追踪它的方式回到中安装其操作系统中的根证书。有几个证书颁发机构可供选择,但你会希望确保它们是由目标操作系统的根证书的支持。
Note, you will pay for a software signing certificate. What you get is the certificate authority become the trusted 3rd party who verifies you are who you say you are. This works because of a web of trust that traces its way back to a root certificate that is installed in their operating system. There are a few certificate authorities to choose from, but you will want to make sure they are supported by the root certificates on the target operating system.
