Test Signing in Action: IronPython Beta 7

The IronPython team just announced their v1.0 beta 7 release, which is especially interesting to me because they’ve enabled IronPython to be signed with a test key signature.

Beta 7 has four configurations, the standard Release and Debug along with Signed versions of both. If you choose a Signed version, the build will look for an IronPythonKey.snk in the solution directory which it uses to delay sign the generated assemblies. After the build, it looks for a TestKey.snk file in the solution directory to test key sign with, generating it if necessary. Finally, it runs SN to extract the public key from the test key file, and register the output assemblies as test key signed (using both the 32 and 64 bit SN tools if present).

What’s interesting to notice here is they automatically generate the test key pair if they don’t find it, which is a completely reasonable way to setup developer machines. In fact, we can see one of the big benefits of test key signing in this scenario. Since each developer will have a different test key pair, everybody will have a different skip verification entry for the IronPython assemblies. Even within a single company, where you might have a standard IronPythonKey.snk that everybody is using (and perhaps trusting in policy), an attacker would be unable to craft an assembly which impersonated that key, since each development machine would require the assembly be test signed with a different key.