Is it possible to check if a, dynamically loaded, assembly has been signed with a specific strong name? Is it enough / secure to compare the values returned from AssemblyName.GetPublicKey() method?
Assembly loaded =
Assembly.LoadFile(path);
byte[] evidenceKey =
loaded.GetName().GetPublicKey();
if (evidenceKey != null)
{
byte[] internalKey =
Assembly.GetExecutingAssembly().GetName().GetPublicKey();
if (evidenceKey.SequenceEqual(internalKey))
{
return extension;
}
}
Can't this be spoofed? Not sure if the SetPublicKey() method has any effect on a built assembly, but even the MSDN documentation shows how you can use this on a dynamically generated assembly (reflection emit) so that would mean you could extract the public key from the host application and inject it into an assembly of your own and run mallicious code if the above was the safe-guard, or am I missing something?
Is there a more correct and secure approach? I know if the revered situation was the scenario, i.e where I wanted to secure the assembly from only being called by signed hosts then i could tag the assembly with the StrongNameIdentityPermission attribute
Thanks