增强型强名(SNK)和个人交换格式(PFX)之间有什么区别,何时应分别使用? [英] What is the difference between Enhanced Strong Name (SNK) and Personal Exchange Format (PFX) and when should each be used?
问题描述
此问题是以下内容的扩展:
This question is an extension of the following:
- 每个项目都应使用单独的强名称密钥(.snk)签名吗?
- snk与代码签名证书
- 是否有理由将.snk文件与项目源一起提供?
- https://docs.microsoft.com/en-us/dotnet/standard/assembly/enhanced-strong-naming
我正在寻找对自定义程序集及其代码签名进行强命名的方法,并且已经阅读了各种SO帖子(请参见上文)和MSDN.我了解以下内容:
I am looking at Strong Naming a custom assembly along with code signing it and have read various SO posts (see above) and the MSDN. I understand the following:
- 严格命名程序集而没有密码会创建一个SNK文件,并且仅标识程序集的发布者,以便可以将其部署到GAC并缓解所谓的
DLL Hell由来自不同发布者的同名程序集引起. - 使用密码强命名程序集 将代码签名添加到程序集并创建PFX文件而不是SNK文件.这既可以标识发布者,又可以验证代码是否遭到篡改.注意:此文件可以由受信任的证书颁发机构(如Verisign和Digicert)创建,然后导入,也可以是在组织内创建的自签名证书.自行创建PFX与创建强名称"程序集的步骤相同,但是您只需向其添加密码即可.
- 增强的强命名对我来说似乎是个谜.它涉及创建一个强名称SNK文件(即无密码),然后从中提取私钥.似乎仅是为了允许从不推荐使用的哈希算法进行迁移.
- Strong naming an assembly without a password creates an SNK file and only identifies the publisher of the assembly so that it can be deployed to the GAC and mitigate the so-call
DLL Hellcaused by identically named assemblies from different publishers. - Strong naming an assembly with a password adds code signing to an assembly and creates a PFX file, instead of an SNK file. This both identifies the publisher and verifies that the code has not been tampered with. Note: This file can either be created, and thus imported, by a trusted certificate authority like Verisign and Digicert or it can be a self-signed certificate created within the organization. Self-creating a PFX is the same step as creating a Strong Named assembly, but you just add a password to it.
- Enhanced Strong Naming seems a bit of a mystery to me. It involves creating a Strong Named SNK file (i.e., no password) and then extracting the private key from it. It seems to only be for allowing the migration from deprecated hashing algorithms.
我理解2是1的逻辑扩展.但是,上面2和3之间有什么区别?3相对于1有什么优势吗?还是仅允许跨算法迁移的一种方式?换句话说,我认为2和3存在的原因是不同的.那是什么原因/实现?
I understand 2 to be a logical extension of 1. Is my understand above correct? But, what is the difference between 2 and 3 above? Does 3 have any advantage over 1 or is it just a way to allow migration across algorithms only? Said differently, I imagine the 2 and 3 exist for distinct reasons; what is that reason/implementation?
推荐答案
对1的补充:您希望使用强命名方式,以确保不引用未签名的程序集.您可能不想使用GAC.
Addition to 1: You want strong naming to ensure no unsigned assembly is referenced. You might not want to use the GAC.
更正为2:代码签名!=强命名.要进行强命名,请使用 sn.exe 创建密钥.对于使用私有密钥对x.509数字证书进行签名的代码.证书本身没有密码.PFX/PKCS#12容器格式使用该密码来保护私钥.其他选项.像可以使用智能卡或令牌.
Correction to 2: code signing != strong naming. for strong naming usesn.exe to create a key. For code signing a x.509 Digital certificate with its private key is needed. A certificate itself has no password. The password is used by the PFX/PKCS#12 container format to protect the private key. Other options. like e.g. a smart card or token are possible.
所以2不是对1的扩展.3具有使用更好的哈希算法和两个而不是一个签名的优点.
So 2 is NOT the extension to 1. 3 has the advantage of using better hash algorithms and two instead of one signature.
这篇关于增强型强名(SNK)和个人交换格式(PFX)之间有什么区别,何时应分别使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
