This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!
Deferred Signing
Deferred signing refers to the process of reserving space in the PE file for the shared name signature at build time, but the actual signing is deferred until some later stage - typically right before the assembly is shipped. The process works as follows:
- The developer must get the public key portion of the key pair from the organization in the company that will do the eventual signing. Typically this key is in the form of an “snk” file as described above.
- The key is given to the compiler with a command line switch. For example, in C# this switch is /a.keyfile: In addition the compiler is typically given a switch indicating the assembly should be deferred signed.
- The compiler inserts the public key into the manifest using IMetadataAssemblyEmit::DefineAssembly and reserves space in the PE for the signature. Again, the real public key must be stored while the assembly is built so that other assemblies that reference this one can get the public key to store in their references. Given just the public key, the compiler can determine the size of the signature using StrongNameSignatureSize.
- Because the assembly doesn’t have a valid signature, the verification of that signature must be turned off. This can be done for all assemblies on the machine (using SN –Vr*), or for particular assemblies (using SN –Vr).
- At some later point, the assembly is handed off to the organization’s signing authority for “real” signing (using SN –R).