-1

We Use SNK key files to sign our assemblies, then we use wix to create msi install file, when we download the msi file, we get that smart screen, windows protected your PC, I read about all the certification stuff and I told the team we should get a certificate and so on, but they said no we just use snk files and add in .crproj file, is that correct or I have to do it

Update: not duplicate and yes you can sign code just with SNK, I did that

  • @Lex Li, have you read the question!, I said I read all those links and based on that I think I need pfx cert or somthing, my question is: is SNK enough to skip windows smart screen or not? –  May 04 '18 at 08:15
  • Read the linked thread. Did it say that SNK can skip Smart Screen? – Lex Li May 04 '18 at 08:22
  • Actually, the team was right, you can, and it was enough –  May 07 '18 at 06:07

1 Answers1

1

You will need to look into Code Signing for your app.

but they said no we just use snk files

I think your team is confusing Strong Naming with Code Signing. Though both use certificates, the certificates used with strong naming is not sufficient for Code Signing, which is what you need here.

Strong Naming is somewhat of a poor man's way to identify something (filename, culture, public key). It's identification method is not objective (as there is no third party) and it does not show whether something has been tampered with. It is purely a .NET beast.

Code Signing (or authenticode) identifies something by way of a trusted third party and can show if something has been tampered with or not. CS can be used with .NET and native apps.

Both are complex to discuss in full here particularly the latter.

  • I'm not sure but it's written in the link "When a strong-named assembly is created, it contains the simple text name of the assembly, the version number, optional culture information, a digital signature, and the public key that corresponds to the private key used for signing." isn't digital signature like code signing? https://learn.microsoft.com/en-us/dotnet/framework/app-domains/strong-named-assemblies –  May 04 '18 at 05:20
  • 1
    @jhonejack anyone can generate as many strong name keys are he wants, they do not prove your identity in any way, nor they protect bad guys from modifying your software and redistribute. Code signing also does not protect from that, but that's why smart screen exists - for user to be suspicious about unsigned code. With just strong name, both original and tampered versions are the same in a sense source of both cannot be identified and both produce smart screen warning. – Evk May 04 '18 at 06:06