C#, MEF - Sign trusted plugins for abuse reduction

Question

Hi there. I have a program that is extendable by plugins using the Microsoft Extensibility Framework. But i dont want untrusted sources to give out plugins that may be insecure. So i want to sign the plugins (maybe with Visual Studio's built in signing) and check if the plugins are trustworthy at program start.

I didn't find a way to check DLL signing from inside C#. And also there is the problem, that I load the plugins with a DirectoryCatalog. There is no way to tell, which plugin is from which file. Anyone knows a way to do this?

Thanks for any help, Marks

Answer 1

You won't be able to use the DirectoryCatalog. You will need to filter the assemblies yourself based on whether they are signed correctly. You can iterate through the files in a directory, and call AssemblyName.GetAssemblyName for each one. Then look at the KeyPair property of the AssemblyName to determine whether the assembly is signed with a key you trust. If it is, then create an AssemblyCatalog for that class and add it to an AggregateCatalog which you will pass to the container.