How to: Publish and Sign Assemblies for Precompiled Web Sites in Visual Web Developer

  • Article

When you publish an ASP.NET Web site in Visual Web Developer, you have the option to enable strong naming of precompiled assemblies. This option specifies that during compilation, the generated assemblies are strongly named using a key file or key container to sign the assemblies and ensure that they have not been tampered with. When you sign assemblies, you can do the following:

  • Specify the location of a key file to use to sign the assemblies.

  • If you use a key file, you can choose to delay sign the assemblies, which signs the assembly in two stages: first with the public key file, and at a later time with a private key file. When an assembly is delay signed, only the public key is set at compile time and space is reserved in the file for the signature to be added later when the private key is known. If the assemblies are delay signed, the build computer must have the verification skipped for the public key. Otherwise, ASP.NET is not able to load and compile the generated assemblies. For more information, see Cryptography Overview.

    Note

    Use delay signing and skip verification only during development. Adding an assembly to the skip verification list creates a security vulnerability. A malicious assembly could use the fully specified assembly name (assembly name, version, culture, and public key token) of the assembly added to the skip verification list to fake its identity. This would allow the malicious assembly to also skip verification.

  • Specify the location of a key container from the system's cryptographic service provider (CSP) to use to name the assemblies.

  • Select whether to mark the assembly with the AllowPartiallyTrustedCallers property, which allows strongly named assemblies to be called by partially trusted code. Without this declaration, only fully trusted callers are allowed to call such assemblies. For more information, see .NET Framework Assemblies Marked with AllowPartiallyTrustedCallersAttribute.

    Note

    Marking assemblies with the AllowPartiallyTrustedCallers property might compromise the security of your generated assembly.

To enable strong naming of precompiled assemblies

  1. In Visual Web Developer, open the Web site that you want to deploy.

  2. On the Build menu, click Publish Web Site.

    Note

    Visual Web Developer Express Edition does not support precompiling a site for deployment.

  3. Select the Enable strong naming on precompiled assemblies check box.

  4. Choose to use a key file by selecting Use a key file generated with the Strong Name tool, or to use a key container by selecting Use a key container.

  5. Enter the location of the key file or key container. If you use a key file, and if you want to delay the signing of the key file, select Delay signing.

  6. If you choose to allow strongly named assemblies to be called by partially trusted code, select the Mark assemblies with the AllowPartiallyTrustedCallersAttribute (APTCA) check box.

  7. Click OK.

See Also

Tasks

How to: Precompile ASP.NET Web Sites

Concepts

Publishing Web Sites

Cryptography Overview

.NET Framework Assemblies Marked with AllowPartiallyTrustedCallersAttribute

Other Resources

ASP.NET Web Site Precompilation