Taming TFS - Strong naming assemblies

By eidias on (tags: tfs, categories: infrastructure)

Today we’re going to look at another build script adjustment – strong naming assemblies.

The scenario we are aiming for is that during development, the assemblies are not signed (so developers don’t need to have the a certificate file - a little bit more on that later), but during a build on the build server they are. This can be handled by providing additional parameters to msbuild.

In your template, find an activity called “Run MSBuild for Project” and check it’s properties. There are two places where you may add parameters to msbuild – the “CommandLineArguments” input of the task or the “MSBuildArguments” template argument. The difference: MSBuildArguments is exposed in the build configuration and the “CommandLineArguments” is not, the end result is the same.


There are 3 parameters for msbuild that may come in handy:

  • SignAssembly – bool
  • AssemblyKeyFile – if you want to use a certificate file
  • AssemblyKeyContainerName – if you don’t want to use the file directly

In my case, the “CommandLineArguments” input value looks like this:

   1: String.Format("/p:SkipInvalidConfigurations=True {0} /p:SignAssembly={1};AssemblyKeyContainerName={2}", 
   2:     MSBuildArguments, 
   3:     SignAssembly, 
   4:     AssemblyKeyContainerName)

I decided to use custom template arguments so that I would have a cleaner build configuration file.

Digression 1 – signing and strong naming

If you want to strong name assemblies, you can create a self signing certificate and use it. Strong naming does not provide any type of authenticity checking – it’s not meant for it.

If you want to digitally sign files, you should get a signed certificate from a Certificate Authority (CA)

It is possible to use one certificate for both of these activities – just make sure that you specify that the certificate will be used for code signing while you generate a certificate signing request.

Digression 2 – file or container

Whether you use a certificate file directly or through the cert store is up to you. There are certain things you need to take into account before deciding though.

If you want to use a certificate file directly, you need to make sure, that it’s been added to the user private cert store. If you don’t then the build will ask for the cert password (if your cert is not password protected then you should be good, but I haven’t verified that)

If you decide to use the key container, you need to create that container for your certificate. You can do that with the following command:

   1: sn –i <cert file> <container name>

sn will work if you run it from the visual studio console. You can provide a container name of your choice and that name will be passed to the “AssemblyKeyContainerName” param for msbuild.

Returning to the subject

You should now have a build that allows strong naming. If you want to check if an assembly is strongly named, you can run the following command:

   1: sn -T <assembly>