What Happens When You Sign With A Larger Key

In response to last Friday’s post about creating a key that’s longer than 1024 bits, Nicole wondered if anyone had tried doing this, and what the results might be.

I just created a 16,384 bit key on beta 1 of the framework (confirming Eugene’s time estimate from Friday, this did take just over an hour).  Then I signed a simple HelloWorld application with both a standard 1024 bit key and this new larger key.

In order to find the signature, we need to look at the StrongNameSignature field of the IMAGE_COR20_HEADER structure (which you can find in either winnt.h of the Windows Platform SDK or in corhdr.h of the .NET Framework SDK).  Checking this field on both files shows:

Key Size Signature Size
1024 bit 128 bytes
16384 bit 2048 bytes

So, when you sign with a bigger key, the compiler just allocates a larger area in the PE file for the signature to be stored.  Without digging into the PE file, you can also find the public key of the assembly by running ILDasm on it, and noticing that the key size is much bigger than if the signature had been done with a standard size key.

Comments (5)

  1. Nicole Calinoiu says:

    I guess my "practical limitations" euphemism was a bit too polite. <g> Obviously, given the flexibility available wrt key and signature sizes in the spec for the PE file format, it should be theoretically possible to sign an assembly with a max size key. However, a somewhat more interesting question (particularly in the absence of any relevant documentation) is whether the Microsoft tools that will ship with Framework 2.0/VStudio 2005 will actually be able to fully support signing with large key sizes. I’ve already tested full and delay signing with a max size key (from file, not container) using a C# executable with a 512 file alignment. Both the C# compiler and sn -R seem to be able to handle this boundary case. However, there are other compilers, other types of assemblies, and other post-compilation manipulations to consider, and problems can raise their ugly heads even if boundary tests pass…

    I guess my real question here is whether it’s really worth attempting to work with large key sizes during the beta. If there were documentation stating that all the valid RSA key sizes should be useable for signing, then any problems encountered while attempting to use a large key would presumably be addressable bugs. Otherwise, why bother wasting time on every compilation attempting to test scenarios that won’t be supported?

  2. Shawn says:

    I see … well, these *should* be documented, they are official supported features. So any bugs you do find will be addressable and looked at by the CLR team. I’ve let our documentation guy know that there’s a doc hole here, and hopefully he’ll be able to get those together for a later release of MSDN.


  3. Nicole Calinoiu says: