Strong name versus certificate signing
When I have been looking around on the net about strong naming and signing I have found some confusion about the purpose and the difference between does two methods.
Strong names make names cryptographically strong. When you load banan.dll by its strong name you are saying “load banan.DLL which was signed by XCompany”. The loader verifies that the named dll was signed with the correct key, and if not the loader will refuse to load the dll. This is the only thing that strong naming does (making the name of a dll cryptographically strong). Strong names are not a mechanism for expressing trust decisions. Strong names are just about making a name stronger so that you have a guarantee that the code you are loading at runtime is the code you compiled against. That is the ONLY thing you can safely use a strong name for. Strong name keys go into a “snk” file, which you then typically include with your project.
Certificates signing are completely different. Certificates form a chain of trust, where a trusted root certificate (Verisign, for example) is installed in every user’s root certificate store. Those trusted root certificates are then used to certify the identities of organizations that issue code signing certificates. This enables the customer to setup trust policies. For example, they can say “I want to trust anything that comes from XCompany”. How will they do that? They first check to see if the dll was signed by an XCompany certificate. But how do they know that the XCompany certificate actually came from XCompany? Because Verisign says so – Verisign signed the XCompany certificate saying “we certify that this dll signing certificate actually came from XCompany”. Why do they trust Verisign? Because Verisign is part of the Microsoft root certificate program. Acceptance into this program means Microsoft trusts these certificate authorities and places their root certificate in the Trusted Root store on Windows machines. That’s the root of the chain of trust. Certificates doesn’t go into strong name key files, they go into the operating system’s certificate store.