Simon Fell: "I thought that the test.exe manifest included the public key token of the version of real.dll that it got compiled against, and that this was verified at runtime". Actually, when an assembly is loaded from the GAC the signature isn't verified. Instead, the signature is verified when the assembly is put into the GAC. This is actually OK, since the GAC is a secured resource. By default, members of the Users group can't run gacutil -i - only members of Power Users or Adminstrators groups (basically, security principals in the ACL on %SYSTEMROOT%AssemblyGAC - thx to Si for decoding the ACL). If hackers are able to tamper with these ACLs, they can do what the original poster did. However, if they can touch DLLs in %SYSTEMROOT% at will, hacking a shared assembly in the GAC is probably the least of your concerns.
FWIW, if you want signature verification on *every* load, use a private strongly named assembly deployed along with the application.
As for what guarantees all of this strong naming gives us: the public key token in assembly extern reference in the client manifest serves to verify that the originator who signed the component assembly which is being loaded, is the same originator who signed the component assembly that the client was initially built against. Furthermore, the public key in the component assembly manifest lets us confirm that the signature could only have come from someone who has the matching private key, which is protected (right?) with the appropriate degree of pomp and circumstance. Note however that none of this lets us actually *identify* the originator (was it Microsoft Incorporated or Razorsoft Incorporated) - it merely let's us unambiguously bind against a component from the same originator as we were originally compiled against. FYI, it is also possible to use real certificates here, to give the assembly a digital signature that ties the originator to a real business entity (using signcode.exe), but that's another blog.
[Peter Drayton's Radio Weblog]
A good explanation. We are using strong names, signing and the GAC. I think I lost you on the part about to "identify" the originator. It was my impression that with marking the assemblies or Interops "promary", including a strong name, and fully signing it, we could gaurentee that one would know it came from our coporation. If I understand what you're saying it only ensures the signature in the assembly manifest when loaded is the same as the originator it was built with. Right?
5:42:26 PM 
|
|
