I am creating an app with several DLLs and thought I could just call Assembly.GetPublicKey() at run time and see if the DLLs were signed by me. However, I now see there's a SetPublicKey method on the Assembly. Doesn't it make it easy for anyone to spoof my DLLs? Or am I checking the signature of the DLLs the wrong way?
Update: I have a plugin architecture and I am just trying to prevent someone hijacking my app by writing their own DLL.
Not probably the suggested route but what I do for my DLL's is create a class and pass a private key to it to activate it.
var secureClass = new MyDLL.SecureClass("Password")
then on any method inside SecureClass i call the following before I put any code:
if IsActivated() = false then Alert_Not_Active() Return False End If
Maybe there is better options but this works perfect for me. Make sure to use an application like {Smart Assembly} to protect your code from Reflection if it's extremely important coding
Is your entire application in .NET? When you compile, any assembly that references another should require the assembly be properly signed, and .NET should be able to handle this, and it should be transparent to you. You should not have to check assemblies yourself.