My scenario is we have one program (exe) that will start other programs if found in a particular folder. I want to ensure it only ever starts programs which are signed with our Corporate certificate (Verisign approved etc). Essentially then it will only start the programs with the same certificate as itself. I don't want to ship the certificate itself.
I've been searching the web and the system namespace and haven't found a clear example that reads the certificate data from a file and also validates it, and can check against another file. The closest I've found is Signtool and and having this verification in a separate exe is kind of point less. I know the Strong Naming stuff wont help because a digitally signed file is different as helpfully explained here (http://blog.codingoutloud.com/2010/03/13/three-ways-to-tell-whether-an-assembly-dl-is-strong-named/) Also some other examples in SO showing encryption and verification of raw data but not an assembly where it's packaged up together in some way.
Any ideas or suggestions?
To detect whether the assembly file is signed or not, right click on the file and click the 'Properties' from the context menu. If you see a 'Digital Signatures' tab in the properties window, that means, the file is signed by a digital signature (as shown below).
Open the properties sheet for the . dll from Windows Explorer. If a tab "Digital Signatures" is shown, it's a signed assembly. If the tab is missing, it's unsigned.
Step 1: Right-click on the program that you want to check and select properties from the context menu that is displayed. Step 2: Select the Digital Signatures tab in the Properties window. Step 3: If you see signatures listed on the tab, you know that the file has been signed digitally.
Check the signature on an EXE or MSI fileRight-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.
Here's a blog post with code samples on how to verify assembly signatures:
http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx
The code sample at the end shows how to verify if an assembly was signed by Microsoft or not - you can do the same by getting the certificate token for your company's certificate(s).
Update: user @Saber edited this with the following update, but that update was rejected by others. However, it is very valid advice, so I am reposting his/her edit since SO won't let me approve it:
Edit (thank you, OP): If you want to do this more securely (i.e. make your program more tamper-proof), reference an assembly in your program which is strongly named with the relevant key, then use the token of the referenced assembly to compare with the token of the calling assembly. If you use a byte arrays (as per the link), it can simply be hex edited and changed.
You can try three option here.
1) The first one is using Assembly load like here:
Assembly myDll =
Assembly.Load("myDll, Version=1.0.0.1, Culture=neutral, PublicKeyToken=9b35aa32c18d4fb1");
You can print the hexadecimal format of the public key and public key token for a specific assembly by using the following Strong Name (Sn.exe) command:
sn -Tp <assembly>
If you have a public key file, you can use the following command instead (note the difference in case on the command-line option):
sn -tp <assembly>
2) The second one is mentioned here. And use p/Invoke for such issue.
3) Also exists third, more agile, and more complex way for doing this. This is a Binding Policy. You can take it into account in the case when you should to provide upgrades for an application that's already deployed. When a new version of a shared component comes out that your application can benefit from, an application policy file will allow you to provide these benefits without recompiling or replacing existing installations.
You can find more about this feature here:
http://msdn.microsoft.com/en-us/library/aa309359%28v=vs.71%29.aspx
http://ondotnet.com/pub/a/dotnet/2003/03/17/bindingpolicy.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With