I have an application that has 1 referenced assembly (test.exe, test.dll)
What I want is when the test.exe runs, it should show publisher name as "TestCompany".
To do that, I digitally signed it and it does what I want. And if I alter one byte of test.exe the publisher name is "Unknown". Which is good.
But if I alter the test.dll, the app runs as nothing happened and shows publisher name as "TestCompany". Which is not good for me.
So I put strong name on test.dll and added <bypassTrustedAppStrongNames enabled="false" /> in app.config.
Again, no difference. So I searched again and found out bypassTrustedAppStrongNames only checks if assemblies has strong name or not. Not the verification. Which is not good for me again.
What I exactly want is to protect the user, not my application. If user runs my application and it says its from me, it must be from me as every single byte. If the app was altered, even a single byte, it must notify user, its not from me. Which is what digitally sign suppose to do along with strong name but they all seems not so good yet. Or am I missing something ?
The last possible way I can think of is to manually check the strong name of assembly.
PS : Target .net framework is 2.0
Using Strong Names The primary way to protect your assemblies from attack is to attach a strong name. Strong names are pairs of keys (strings of numbers)—one private and one public. The private key is held inside the assembly and is inaccessible.
An assembly signed with a digital certificate presents evidence to the runtime describing the certificate that was used to sign the assembly. An administrator, user or application may modify security policy to state that this evidence can grant a particular permission.
Call the digital signature tool signtool.exe that is located in your Microsoft SDK toolkit as shown below. Choose 'custom' in the digital signing options, as shown below. Choose 'Select from File' option from this screen, and select the digital certificate that you have purchased.
Most of my important assemblies are not loaded as reference in my project. What I do is to declare interop interfaces (common to all projects as a base... yes, this on is referenced..) then I load all assemblies at runtime using:
 Assembly assembly = Assembly.Load("myDll, Version=1.0.0.1, Culture=neutral, PublicKeyToken=9b35aa32c18d4fb1");
 Type type = assembly.GetType("MyClass");
 object instanceOfMyType = Activator.CreateInstance(type);
I use this for several reasons. I have different class implementations that I must call depending on user/customer configuration. It also seems a nice option to guarantee that you are loading an specific assembly with my public token and version.
After a little research, I found these posts:
Well, I was kind of shocked after looking at your question.. It raises me concerns about referencing my DLLs now. I don't know how safe this is anymore, but it seems to be pretty safer than just referencing it.
I haven't found any reference in MS documentation for using Assembly.Load and bypassTrustedAppStrongNames. I will run some tests later, but it seems safer to use this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With