试图让我的头周围authenti code code-签名和强命名。

难道我就在想，如果我code-签署引用几个dll文件（不强命名）恶意用户可以取代我的DLL和分发，如果它的签署出现了一种应用程序的EXE由我，但正在运行的code？

假设这是真的，好像你不会真的想不签一个.NET应用程序强命名整个事情，否则你给人一个应用程序的幌子下，执行code的能力你写的？

我不能确定的原因，就是没有我在网上找到的文章（包括MSDN文档有关使用SN + Authenti code）似乎提到这一点，这似乎是一个很重要的一点理解（如果我理解正确的话）？

解决方案        

难道我就在想，如果我code-签署引用几个dll文件（不强命名）恶意用户可以取代我的DLL和分发，如果它的签署出现了一种应用程序的EXE由我，但正在运行的code？

  

是如果该DLL文件的剩余部分只签而不强命名的，他们可以在没有.NET引发异常所取代。你可以，exe文件里面，验证DLL是由同一个键作为exe文件签署。所有这些方法prevent有人更换你的DLL或EXE文件。

       

假设这是真的，好像你不会真的想不签一个.NET应用程序强命名整个事情，否则你给人一个应用程序的幌子下，执行code的能力你写的？

  

通常我想这是'最佳实践'，但你又没有prevented什么。一旦用户更改本地系统上的文件的权利没有太多可以做，以免受恶意行为阻止他们。

有一些混淆技术，构建完整的.NET项目到一个单一的exe文件，这可能使最安全的做法，但仍然可以篡改。

真正的问题是什么，您在做尝试prevent呢？我的意思是说，为什么会有人有兴趣更换你的DLL？什么他们希望实现的，什么是他们的目标是什么？如果你想以prevent有人从读取的过程中，你的敏感信息失望的漫长艰苦的道路。假设一个恶意的一方能够完全访问你的源$ C ​​$ c和每件所使用的过程信息，因为他们做的。假设他们可以随意更换你的所有code或一部分，因为他们可以。

更新

       

所以，结合重定向将只与组件的强名称使用相同的密钥工作，因此并保护你的DLL被改变？

  

正确的，与著名的例外是code注射液，仍然可以以多种方式进行。

       

......再回到原来的问题，确实code-签约没有强大的命名有点削弱code-签约的地步？

  

不是真的。 code签字（不强命名）有两种不同的用途：

验证。验证谁是软件的作者。 完整性。验证该软件没有被篡改过，因为它被签署。

通常，这只是验证，在安装过程中进行验证。这就是为什么我们签署我们的setup.exe，以确保客户收到的未经修改的安装程序从我们这里。他们在系统提示您是否信任XXXX公司，并因此授予授权的认证/签名的安装程序。一旦安装但很少有内置使用code签署的操作系统（除了司机和其他一些模糊的情况下）。

在其他强命名过了一个完全不同的目的，它的存在。它完全专注于应用程序的'诚信'。没有证书，没有签名颁发机构（CA）来验证它对抗，没有用户可显示的信息为他们确认，并没有什么操作系统可以验证有关可执行它要运行。

在.NET框架使用强名称为很多事情，所有的人我松散归类为应用程序的完整性：

的DLL / EXE文件的内容已签署一个散列，以便它可以不被篡改。 在每个引用必须是强命名并加载的依赖时验证。 组件可以在GAC注册并发布策略可用于 本机图像可以ngen'd生产组装的IL的编译形象。

我敢肯定有我错过这里其他的东西，但这些都是主要用途我所知道的。

对于签名和

最佳实践强命名

使用一个签名的安装程序 使用一个code-签名的可执行 使用具有强名称的可执行文件 在强名称所有的依赖和对它们的引用 code签名依赖一般不要求* 在考虑GAC注册组件在安装时

*注：code签名可以在某些情况下，一个DLL非常有用，例如COM对象标记为安全，并嵌入到应签署一个浏览器和强大的命名就好像它是一个可执行文件。 code签约还可以在外部核实相关性，而无需加载组件或反射它的属性是有用的。

Trying to get my head around authenticode code-signing and strong-naming.

Am I right in thinking that if I code-sign an exe that references a few dlls (not strong named) that a malicious user could replace my DLLs and distribute the app in a way that appears as if it's signed by me, but is running their code?

Assuming that's true, it seems like you wouldn't really want to sign a .NET app without strong-naming the whole thing, otherwise you're giving people the ability to execute code under the guise of an app you wrote?

The reason I'm unsure, is that none of the articles I found online (including the MSDN doc about using SN+Authenticode) seem to mention this, and it seems like a fairly important point to understand (if I've understood correctly)?

解决方案

Am I right in thinking that if I code-sign an exe that references a few dlls (not strong named) that a malicious user could replace my DLLs and distribute the app in a way that appears as if it's signed by me, but is running their code?

Yes if the remainder of the DLLs are only signed and not strong named they can be replaced without .NET raising an exception. You could, inside the exe, verify the DLLs are signed by the same key as the exe. None of these approaches prevent someone from replacing your DLLs or the EXE.

Assuming that's true, it seems like you wouldn't really want to sign a .NET app without strong-naming the whole thing, otherwise you're giving people the ability to execute code under the guise of an app you wrote?

Generally I suppose that is the 'best practice', but again you have not prevented anything. Once a user has the rights to change files on the local system there is not much you can do to stop them from malicious activity.

There are several obfuscation technologies that build complete .NET projects into a single exe, this might make the 'most secure' approach but still can tampered with.

The real question is what are you trying to prevent them from doing? I mean to say, why would someone be interested in replacing your dll? What would they hope to achieve, what is their goal? If you're trying to prevent someone from reading sensitive information from the process you in for a long hard road of disappointment. Assume a malicious party has complete access to your source code and every piece of information used by your process, because they do. Assume they can replace all or part of your code at will, because they can.

Updated

So binding redirect will only work with assemblies strong-named with the same key, and therefore does protect you from DLLs being changed?

Correct, with the noted exception that code injection can still be done in numerous ways.

... and back to the original question, does code-signing without strong-naming kinda undermine the point of code-signing?

Not really. Code signing (not strong naming) has two distinct purposes:

Authentication. Verifying who the author of the software is. Integrity. Verifying that the software hasn’t been tampered with since it was signed.

Often this is only authenticated and validated during installation. This is why we sign our setup.exe, to ensure that the customer has received the unmodified installer from us. They are prompted with the "Do you trust XXXX Company" and are thereby granting authorization to the authenticated/signed installer. Once installed however there is little built-in use of code signing by the OS (except for drivers and some other obscure cases).

Strong Naming on the other had has a completely different purpose for it's existence. It's entirely focused on 'integrity' of the application. There is no certificate, no signing authority (CA) to verify it against, no user-displayed information for them to confirm, and nothing the OS can verify about the executable it's going to run.

The .NET framework uses strong names for many things, all of them I loosely categorize as application integrity:

The contents of the dll/exe has a signed hash so that it cannot be tampered with. Each reference must be strong named and verified when loading the dependency. Assemblies can be registered in the GAC and publisher policies can be used. Native images can be ngen'd to produce a compiled image of the assembly's IL.

I'm sure there are other things I'm missing here, but these are primary uses I'm aware of.

Best practices for Signing and Strong-naming

Use a signed installer Use a code-signed executable Use a strong-named executable Strong name all dependencies and references to them Code signing dependencies is not generally required* Consider GAC registering assemblies at install time

*Note: Code signing can be useful in some cases for a DLL, for example COM objects marked 'safe' and embedded into a browser should be signed and strong-named as if it were an executable. Code signing can also be useful in externally verifying dependencies without loading the assembly or reflecting it's attributes.