NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Test Signing

Test signing refers to the process of signing your assembly with a test key during development, then replacing this signature with one done with the real key prior to deployment. The test key is a non-secure key that can freely be shared – the signature based on the test key won’t be part of the assembly when it is deployed. As with deferred signing, test signing requires access to the real public key at build time. Test signing works as follows:

  1. The developer must get the public key portion of the key pair from the organization in the company that will do the eventual signing. Typically this key is in the form of an “snk” file as described above. In addition to the real public key, the developer needs a test key pair. This is typically generated with SN (the –k option).
  2. The key is given to the compiler with a command line switch. For example, in C# this switch is /a.keyfile: In addition the compiler (or other tool that is building the assembly – link Alink.exe) is also given a switch that specifies the test key pair to use for signing.
  3. The compiler inserts the public key into the manifest using IMetadataAssemblyEmit::DefineAssembly and calls StrongNameSignatureGeneration with the test key to emit the test signature. Again, the real public key must be stored while the assembly is built so that other assemblies that reference this one can get the public key to store in their references.
  4. When verifying the shared name signature, the NGWS runtime must use the test public key because the signature in the assembly will not verify using the public key in the manifest (it’s the real one, not the test one). SN contains an option (-V) for registering the test public key as a “fallback” key. When such a key is registered, the NGWS runtime will use this key to verify the signature if verification fails using the key in the manifest.
  5. At some later point, the assembly is handed off to the organization’s signing authority for “real” signing (using SN –R). Real signing replaces the test signature with a signature generated using the real key pair.