Sn.exe(强名称工具)Sn.exe (Strong Name Tool)

强名称工具 (Sn.exe) 有助于使用强名称对程序集进行签名。The Strong Name tool (Sn.exe) helps sign assemblies with strong names. Sn.exe 提供了用于密钥管理、签名生成和签名验证的选项。Sn.exe provides options for key management, signature generation, and signature verification.

警告

不要依赖于通过强名称实现安全性。Do not rely on strong names for security. 它们仅提供唯一的标识。They provide a unique identity only.

有关强命名和强命名的程序集的详细信息,请参阅具有强命名的程序集如何:使用强名称为程序集签名For more information on strong naming and strong-named assemblies, see Strong-Named Assemblies and How to: Sign an Assembly with a Strong Name.

强名称工具自动随 Visual Studio 一起安装。The Strong Name tool is automatically installed with Visual Studio. 若要启动此工具,请使用“开发人员命令提示”(或 Windows 7 中的 Visual Studio 命令提示)。To start the tool, use the Developer Command Prompt (or the Visual Studio Command Prompt in Windows 7). 有关详细信息,请参阅命令提示For more information, see Command Prompts.

备注

在 64 位计算机上,可通过使用 Visual Studio 开发人员命令提示运行 32 位版本的 Sn.exe,也可使用 Visual Studio x64 Win64 命令提示运行 64 位版本的 Sn.exe。On 64-bit computers, run the 32-bit version of Sn.exe by using the Developer Command Prompt for Visual Studio and the 64-bit version by using the Visual Studio x64 Win64 Command Prompt.

在命令提示符处,键入以下内容:At the command prompt, type the following:

语法Syntax

sn [-quiet][option [parameter(s)]]  

参数Parameters

选项Option 描述Description
-a identityKeyPairFile signaturePublicKeyFile 生成 AssemblySignatureKeyAttribute 数据以将标识密钥从一个文件迁移到签名密钥。Generates AssemblySignatureKeyAttribute data to migrate the identity key to the signature key from a file.
-ac identityPublicKeyFile identityKeyPairContainer signaturePublicKeyFile 生成 AssemblySignatureKeyAttribute 数据以将标识密钥从一个密钥容器迁移到签名密钥。Generates AssemblySignatureKeyAttribute data to migrate the identity key to the signature key from a key container.
-c [csp] 将默认加密服务提供程序 (CSP) 设置为用于强名称签名。Sets the default cryptographic service provider (CSP) to use for strong name signing. 此设置将应用于整台计算机。This setting applies to the entire computer. 如果不指定 CSP 名称,则 Sn.exe 将清除当前设置。If you do not specify a CSP name, Sn.exe clears the current setting.
-d container 从强名称 CSP 中删除指定的密钥容器。Deletes the specified key container from the strong name CSP.
-D assembly1 assembly2 验证两个程序集是否只是签名不同。Verifies that two assemblies differ only by signature. 在使用不同的密钥对重新为程序集创建签名之后,经常使用这种方式来进行检查。This is often used as a check after an assembly has been re-signed with a different key pair.
-e assembly outfile 从 assembly 中提取公钥并将其存储在 outfile 中 。Extracts the public key from assembly and stores it in outfile.
-h 显示该工具的命令语法和选项。Displays command syntax and options for the tool.
-i infile container 从指定密钥容器中的 infile 安装密钥对 。Installs the key pair from infile in the specified key container. 密钥容器位于强名称 CSP 中。The key container resides in the strong name CSP.
-k [keysize] outfile 生成一个指定大小的新 RSACryptoServiceProvider 密钥并将其写入指定的文件。Generates a new RSACryptoServiceProvider key of the specified size and writes it to the specified file. 公钥和私钥都会写入该文件。Both a public and private key are written to the file.

如果不指定密钥大小,并且已安装了 Microsoft 增强加密提供程序,则默认情况下生成 1,024 位的密钥;否则,生成 512 位的密钥。If you do not specify a key size, a 1,024-bit key is generated by default if you have the Microsoft enhanced cryptographic provider installed; otherwise, a 512-bit key is generated.

如果安装了 Microsoft 增强加密提供程序,则 keysize 参数支持 384 位至 16,384 位(增量为 8 位)的密钥长度 。The keysize parameter supports key lengths from 384 bits to 16,384 bits in increments of 8 bits if you have the Microsoft enhanced cryptographic provider installed. 如果安装了 Microsoft 基本加密提供程序,则它支持长度为 384 位至 512 位(增量为 8 位)的密钥。It supports key lengths from 384 bits to 512 bits in increments of 8 bits if you have the Microsoft base cryptographic provider installed.
-m [y|n] 指定密钥容器是特定于计算机的还是特定于用户的。Specifies whether key containers are computer-specific, or user-specific. 如果指定 y,则密钥容器是特定于计算机的 。If you specify y, key containers are computer-specific. 如果指定 n,则密钥容器是特定于用户的 。If you specify n, key containers are user-specific.

如果既没有指定 y 也没有指定 n,则此选项显示当前设置。If neither y nor n is specified, this option displays the current setting.
-o infile [outfile] 从 infile 中提取公钥并将其存储在 .csv 文件中 。Extracts the public key from the infile and stores it in a .csv file. 公钥的每一字节都由逗号分隔。A comma separates each byte of the public key. 这种格式可以用来在源代码中将对密钥的引用硬编码为已初始化的数组。This format is useful for hard-coding references to keys as initialized arrays in source code. 如果不指定 outfile,则此选项将输出放到剪贴板上 。If you do not specify an outfile, this option places the output on the Clipboard. 注意: 此选项不验证输入是否只是公钥。Note: This option does not verify that the input is only a public key. 如果 infile 包含带有私钥的密钥对,则会同时提取私钥。If the infile contains a key pair with a private key, the private key is also extracted.
-p infile outfile [hashalg] 从 infile 中的密钥对中提取公钥,并将其存储在 outfile 中,可选择使用 hashalg 指定的 RSA 算法 。Extracts the public key from the key pair in infile and stores it in outfile, optionally using the RSA algorithm specified by hashalg. 此公钥可用于通过程序集链接器 (Al.exe) 的 /delaysign+ 和 /keyfile 选项,对程序集进行延迟签名 。This public key can be used to delay-sign an assembly using the /delaysign+ and /keyfile options of the Assembly Linker (Al.exe). 如果对程序集进行延迟签名,则在编译时只设置公钥,并在文件中为要在以后添加的签名(当私钥已知时)保留空间。When an assembly is delay-signed, only the public key is set at compile time and space is reserved in the file for the signature to be added later, when the private key is known.
-pc container outfile [hashalg] 从 container 中的密钥对中提取公钥并将其存储在 outfile 中 。Extracts the public key from the key pair in container and stores it in outfile. 如果使用 hashalg 选项,则使用 RSA 算法提取公钥 。If you use the hashalg option, the RSA algorithm is used to extract the public key.
-Pb [y|n] 指定是否强制执行强名称跳过策略。Specifies whether the strong-name bypass policy is enforced. 如果指定 y,则在将完全信任程序集加载到完全信任 AppDomain 时,不验证这些程序集的强名称 。If you specify y, strong names for full-trust assemblies are not validated when loaded into a full-trust AppDomain. 如果指定 n,则会验证强名称是否正确,但不会验证是否具有特定强名称 。If you specify n, strong names are validated for correctness, but not for a specific strong name. StrongNameIdentityPermission 对完全信任程序集不起作用。The StrongNameIdentityPermission has no effect on full-trust assemblies. 你必须自己对强名称是否匹配进行检查。You must perform your own check for a strong name match.

如果既没有指定 y 也没有指定 n,则此选项显示当前设置。If neither y nor n is specified, this option displays the current setting. 默认值为 yThe default is y. 注意: 在 64 位计算机上,必须同时在 Sn.exe 的 32 位和 64 位实例中设置此参数。Note: On 64-bit computers, you must set this parameter in both the 32-bit and the 64-bit instances of Sn.exe.
-q[uiet] 指定安静模式;取消显示成功消息。Specifies quiet mode; suppresses the display of success messages.
-R[a] assembly infile 使用 infile 中的密钥对,为先前已签名的程序集或延迟签名的程序集重新签名 。Re-signs a previously signed or delay-signed assembly with the key pair in infile.

如果使用了 -Ra,则重新计算程序集中所有文件的哈希值 。If -Ra is used, hashes are recomputed for all files in the assembly.
-Rc[a] assembly container 使用 container 中的密钥对,为之前已签名的程序集或延迟签名的程序集重新签名 。Re-signs a previously signed or delay-signed assembly with the key pair in container.

如果使用了 -Rca,则重新计算程序集中所有文件的哈希值 。If -Rca is used, hashes are recomputed for all files in the assembly.
-Rh assembly 重新计算程序集中所有文件的哈希值。Recomputes hashes for all files in the assembly.
-t[p] infile 显示存储在 infile 中的公钥的标记 。Displays the token for the public key stored in infile. infile 的内容必须是以前使用 -p 从密钥对文件生成的公钥 。The contents of infile must be a public key previously generated from a key pair file using -p. 不要使用 -t[p] 选项直接从密钥对文件提取标记 。Do not use the -t[p] option to extract the token directly from a key pair file.

Sn.exe 将使用公钥的哈希函数计算标记。Sn.exe computes the token by using a hash function from the public key. 为节省空间,公共语言运行时在记录对具有强名称的程序集的依赖性时,将公钥标记存储在清单中,作为对另一个程序集的引用的一部分。To save space, the common language runtime stores public key tokens in the manifest as part of a reference to another assembly when it records a dependency to an assembly that has a strong name. -tp 选项除显示标记外还显示公钥 。The -tp option displays the public key in addition to the token. 如果 AssemblySignatureKeyAttribute 特性已应用于程序集,则标记用于标识密钥,并显示哈希算法和标识密钥的名称。If the AssemblySignatureKeyAttribute attribute has been applied to the assembly, the token is for the identity key, and the name of the hash algorithm and the identity key is displayed.

请注意,此选项不验证程序集签名,而且不应用于做出信任决策。Note that this option does not verify the assembly signature and should not be used to make trust decisions. 此选项仅显示原始公钥标记数据。This option only displays the raw public key token data.
-T[p] assembly 显示 assembly 的公钥标记 。Displays the public key token for assembly. assembly 必须是包含程序集清单的文件的名称 。The assembly must be the name of a file that contains an assembly manifest.

Sn.exe 将使用公钥的哈希函数计算标记。Sn.exe computes the token by using a hash function from the public key. 为节省空间,公共语言运行时在记录对具有强名称的程序集的依赖性时,将公钥标记存储在清单中,作为对另一个程序集的引用的一部分。To save space, the runtime stores public key tokens in the manifest as part of a reference to another assembly when it records a dependency to an assembly that has a strong name. -Tp 选项除显示标记外还显示公钥 。The -Tp option displays the public key in addition to the token. 如果 AssemblySignatureKeyAttribute 特性已应用于程序集,则标记用于标识密钥,并显示哈希算法和标识密钥的名称。If the AssemblySignatureKeyAttribute attribute has been applied to the assembly, the token is for the identity key, and the name of the hash algorithm and the identity key is displayed.

请注意,此选项不验证程序集签名,而且不应用于做出信任决策。Note that this option does not verify the assembly signature and should not be used to make trust decisions. 此选项仅显示原始公钥标记数据。This option only displays the raw public key token data.
-TS assembly infile 使用 infile 中的密钥对,对已签名或部分签名的程序集进行测试签名 。Test-signs the signed or partially signed assembly with the key pair in infile.
-TSc assembly container 使用密钥容器 container 中的密钥对,对已签名或部分签名的程序集进行测试签名 。Test-signs the signed or partially signed assembly with the key pair in the key container container.
-v assembly 验证 assembly 中的强名称,其中 assembly 是包含程序集清单的文件的名称 。Verifies the strong name in assembly, where assembly is the name of a file that contains an assembly manifest.
-vf assembly 验证 assembly 中的强名称 。Verifies the strong name in assembly. 与 -v 选项不同,-vf 会强制实施验证,即使已使用 -Vr 选项禁用了验证也是如此 。Unlike the -v option, -vf forces verification even if it is disabled using the -Vr option.
-Vk regfile.reg assembly [userlist] [infile] 创建一个注册项 (.reg) 文件,你可以使用它注册要跳过验证的指定程序集。Creates a registration entries (.reg) file you can use to register the specified assembly for verification skipping. 应用于 -Vr 选项的程序集命名规则也应用于 -Vk 。The rules for assembly naming that apply to the -Vr option apply to –Vk as well. 有关 userlist 和 infile 选项的信息,请参阅 -Vr 选项 。For information about the userlist and infile options, see the –Vr option.
-Vl 列出此计算机上的强名称验证的当前设置。Lists current settings for strong-name verification on this computer.
-Vr assembly [userlist] [infile] 注册要跳过验证的 assembly 。Registers assembly for verification skipping. 或者,还可以指定应跳过验证的用户名的逗号分隔的列表。Optionally, you can specify a comma-separated list of user names the skip verification should apply to. 如果指定 infile,则验证仍会启用,但在验证操作中将使用 infile 中的公钥 。If you specify infile, verification remains enabled, but the public key in infile is used in verification operations. 可以以 *, strongname 的形式指定 assembly,以注册所有具有指定强名称的程序集 。You can specify assembly in the form *, strongname to register all assemblies with the specified strong name. 对于 strongname,指定表示标记形式的公钥的十六进制数字的字符串 。For strongname, specify the string of hexadecimal digits representing the tokenized form of the public key. 参见 -t 和 -T 选项以显示公钥标记 。See the -t and -T options to display the public key token. 注意: 仅在开发期间使用此选项。Caution: Use this option only during development. 将程序集添加到跳过验证列表会产生安全漏洞。Adding an assembly to the skip verification list creates a security vulnerability. 如果将某程序集添加到跳过验证列表中,则恶意程序集可以使用该程序集的完全指定程序集名称来隐藏身份,完全指定程序集名称由程序集名称、版本、区域性和公钥标记组成。A malicious assembly could use the fully specified assembly name (assembly name, version, culture, and public key token) of the assembly added to the skip verification list to fake its identity. 这使恶意程序集也可以跳过验证。This would allow the malicious assembly to also skip verification.
-Vu assembly 注销要跳过验证的 assembly 。Unregisters assembly for verification skipping. 应用于 -Vr 的相同程序集命名规则也应用于 -Vu 。The same rules for assembly naming that apply to -Vr apply to -Vu.
-Vx 移除所有验证跳过项。Removes all verification-skipping entries.
-? 显示该工具的命令语法和选项。Displays command syntax and options for the tool.

备注

所有 Sn.exe 选项都区分大小写,必须完全按所示的形式键入才能被该工具识别。All Sn.exe options are case-sensitive and must be typed exactly as shown to be recognized by the tool.

备注Remarks

-R 和 -Rc 选项对延迟签名的程序集很有用 。The -R and –Rc options are useful with assemblies that have been delay-signed. 在这种情况下,编译时只设置公钥,并在以后执行签名(当私钥已知时)。In this scenario, only the public key has been set at compile time and signing is performed later, when the private key is known.

备注

对于写入到受保护资源(如注册表)的参数(例如,–Vr),请以管理员身份运行 SN.exe 。For parameters (for example, –Vr) that write to protected resources such as the registry, run SN.exe as an administrator.

强名称工具假定使用 AT_SIGNATURE 算法标识符生成公钥/私钥对。The Strong Name tool assumes that public/private key pairs are generated with the AT_SIGNATURE algorithm identifier. 使用 AT_KEYEXCHANGE 算法生成的公钥/私钥对会生成错误。Public/private key pairs generated with the AT_KEYEXCHANGE algorithm generate an error.

示例Examples

下面的命令创建一个新的随机密钥对,并将其存储在 keyPair.snk 中。The following command creates a new, random key pair and stores it in keyPair.snk.

sn -k keyPair.snk  

下面的命令将 keyPair.snk 中的密钥存储在强名称 CSP 中的容器 MyContainer 中。The following command stores the key in keyPair.snk in the container MyContainer in the strong name CSP.

sn -i keyPair.snk MyContainer  

下面的命令从 keyPair.snk 中提取公钥并将其存储在 publicKey.snk 中。The following command extracts the public key from keyPair.snk and stores it in publicKey.snk.

sn -p keyPair.snk publicKey.snk  

下面的命令显示公钥和 publicKey.snk 中包含的公钥的标记。The following command displays the public key and the token for the public key contained in publicKey.snk.

sn -tp publicKey.snk  

下面的命令验证程序集 MyAsm.dllThe following command verifies the assembly MyAsm.dll.

sn -v MyAsm.dll  

下面的命令从默认 CSP 中删除 MyContainerThe following command deletes MyContainer from the default CSP.

sn -d MyContainer  

请参阅See also