我是附着自己的插件中包含恶意code到我的应用程序搜索的方式prevent不认识的人。我跑过这个职位

I was searching on way to prevent an unknown party from attaching their own Plug In containing malicious code into my application. And I ran across this post

.NET程序集插件安全

这表明，以强名称的程序集，并检查它是强大的命名与负载预期的关键。

It suggests to Strong Name the assembly and check it is strong named with the expected key on load.

然而，当我看到有关强名称的程序集MSDN文档在这个网站

However, when I look at the MSDN documentation regarding Strong Named Assemblies at this site

强名称程序集

有一个警告，说

不要依赖于安全性强名称。他们只提供了一个独特的身份。

这是什么意思？什么是安全的，他们指的是，和这有关在上述堆栈溢出的链接我提供的？

What does this mean? What security are they referring to, and is this relevant to the answer in the above stack overflow link I provided?

推荐答案

这是一个有趣的评论。 从我的理解签名的程序集指示 1）已具有一定的密钥签名和 2）不能被签约之后修改

It's an interesting comment. From what I understand a signed assembly indicates 1) it has been signed with a certain key and 2) is could not have been modified after signing

在1点，关键的安全性很重要，因为任何人用钥匙可以修改并重新签署了组装。

On point 1, the security of the key is important as anyone with the key could modify and re-sign the assembly.

在第2点，我好像一个组件的修改成功的例子在线，同时还通过强名称验证。这是不平凡的。

On point 2, I have seem an example online of a successful modification of an assembly while still passing the strong name verification. It was not trivial.

所以技术上是正确的，你可以用它来验证身份，但不一定是安全的 - 或者说认证之间的差值（插件上签字，并没有被篡改）与授权（C本身的$ C $被授权做了一定行动）。

So technically correct, you can use this to verify identity but not necessarily security - or rather the difference between Authentication (the plugin was signed and not tampered with) versus Authorization (the code itself is authorized to do a certain action).

认证与授权