[Mono-list] Checking for valid assembly signature

Sebastien Pouliot sebastien.pouliot at gmail.com
Mon Aug 25 07:58:21 EDT 2008


On Mon, 2008-08-25 at 10:17 +0200, paszczi wrote:
> Hello,
> 
> I have just faced a problem for which I cannot find the solution. My
> app has a plugin architecture, during app startup all plugins all
> loaded. However, I want to be able to somehow verify whether plugin
> comes from trusted source. So I thought of assembly signing, however I
> couldn't find any managed API (on
> http://blogs.msdn.com/shawnfa/archive/2004/06/07/150378.aspx they
> suggest using P/Invokes :/) to verify whether the signature is valid.
>  Is there any way to do it? 

Mono.Security.dll provides everything you need to generate and verify
strongname signatures. It's fully managed and works on both Mono and MS
runtime.

Look at sn.cs source code (inside /mcs/tools/security/) to see how it's
done.

> Or should I take different approach? 

You could also use authenticode (certificate-based) signatures. This is
also supported in Mono.Security.dll. Look at chktrust.cs source code
(same dir).

> Second question is somehow related to the first one. Can I sign
> assembly with key that came from the certificate (in pkcs#12 format
> for what it's worth).

Can you strongname an assembly with the key stored inside a PKCS#12
file ? Yes, if the key type (RSA) or size (1024, or for 2.0+, a multiple
of 1024 iirc) is used.

Sebastien



More information about the Mono-list mailing list