Questions on strong names

  • Thread starter Thread starter Frank Oquendo
  • Start date Start date
F

Frank Oquendo

How do you go about verifying that an assembly with a strong name has
not been tampered with? And how do you verify that it's been signed by a
particular author or vendor?

--
There are 10 kinds of people. Those who understand binary and those who
don't.

http://code.acadx.com
(Pull the pin to reply)
 
How do you go about verifying that an assembly with a strong name has
not been tampered with?
Click to expand...

The .NET fusion engine just won't load the corrupted assembly. I have tried
this myself by altering some bytes in a DLL file on purpose. An exception is
thrown upon an attempt to load such an assembly.
And how do you verify that it's been signed by a particular author or
Click to expand...
vendor?

By comparing the assembly's public key with the apriori known one of the
author/vendor. There is a better way to do that, but it requires obtaining a
digital signature which is not free and AFAIK requires some paperwork.
 
My understanding is that given a strongly named assembly and the public key,
you can be assured that
- yes, the entity that gave you that key is the one who made this assembly
- and yes, it's the version you think it is (hasn't been tampered with)

What digital signing adds is to say
- yes, the entity that gave you that assembly is XYZ Company.

The digital signing requires a certificate issued by a known trusted source,
like Verisign. Yes it takes $ and paperwork to get one.

Dmitriy Lapshin said:
How do you go about verifying that an assembly with a strong name has
not been tampered with?
Click to expand...

The .NET fusion engine just won't load the corrupted assembly. I have tried
this myself by altering some bytes in a DLL file on purpose. An exception is
thrown upon an attempt to load such an assembly.
And how do you verify that it's been signed by a particular author or
Click to expand...
vendor?

By comparing the assembly's public key with the apriori known one of the
author/vendor. There is a better way to do that, but it requires obtaining a
digital signature which is not free and AFAIK requires some paperwork.

--
Dmitriy Lapshin [C# / .NET MVP]
X-Unity Test Studio
http://x-unity.miik.com.ua/teststudio.aspx
Bring the power of unit testing to VS .NET IDE

Frank Oquendo said:
How do you go about verifying that an assembly with a strong name has
not been tampered with? And how do you verify that it's been signed by a
particular author or vendor?

--
There are 10 kinds of people. Those who understand binary and those who
don't.

http://code.acadx.com
(Pull the pin to reply)
Click to expand...
Click to expand...
 
Daniel said:
My understanding is that given a strongly named assembly and the
public key, you can be assured that
- yes, the entity that gave you that key is the one who made this
assembly
Click to expand...

So how do you extract the public key from your signature file? And how
would a client go about using that key to verify the source of the
assembly?

--
There are 10 kinds of people. Those who understand binary and those who
don't.

http://code.acadx.com
(Pull the pin to reply)
 
Back
Top