Sign in to follow this  
cignox1

Digital signature in .Net

Recommended Posts

Ok, I should have posted in the .Net forum perhaps, but first I need to know if the whole idea is meaningful :-) I want a reliable way to verify if a given plugin for my application has been written by me (actually, the company I work for). What I thought was to create a file (at compile time) containing the hash values for all the assemblies of the plugin, and then encrypting that file with a private key. When the main program loads the plugin it decrypt that file with the public key (althought it will be hidden somehow) and checks the hashes against all the assemblies. If this test succeedes, the plugin is allowed to run. Is this The Evil, or is this a standard way to do this sort of things? And wich are the best .net classes to do this (It seems that RSACryptoServiceProvider should do the job, but I'm not sure how the private and public keys should be handled, i.e. generated and deployed). Thank you!

Share this post


Link to post
Share on other sites
You can use cryptographically signed assemblies for that. Just check the signature and be done with it. Microsoft also calls them "strong names", just to help your search.

Check MSDN or other resources to read how.

Share this post


Link to post
Share on other sites
Thank you, I know about strong names but for some reason the main developer of the application would like to avoid it, thought I suppose we could reconsider that if there are not good alternatives...

Share this post


Link to post
Share on other sites
"for some reason the main developer of the application would like to avoid it"

I'd be very interested to know what that reason is.
If he's afraid of having to reset his references then he is probably using strong name versioning the wrong way.

Share this post


Link to post
Share on other sites
I think that he wanted to build a tool to automatically sign some of the files (not only assemblies) base on certain conditions.

That said, I think I solved by creating a list of filenames/hashes and writing it into a file. Then I use DSACryptoServiceProvider to sign that list.
The client checks the signature of that list file. If the test succedees, it tests every listed file against the provided hash.

I made a simple tool to do that and it seems to work.
Thank you anyway for answering!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this