According to this answer verifying an assembly's strong name after it has been loaded might be too late.
Is there a way to verify it without loading it?
Asked
Active
Viewed 232 times
2
-
Did you see the [other answer](http://stackoverflow.com/a/309429/3764814) on the very same question you linked to? – Lucas Trzesniewski Aug 24 '14 at 19:48
-
I would questions *why* you'd want to do that? What do you *think* you're verifying by verifying an assembly's strong name? – Peter Ritchie Aug 24 '14 at 19:57
-
1@LucasTrzesniewski Thanks. Yes. But a) that's from 08. Perhaps there's a managed way today. b) I've seen answers of the "it can't be done", "WinApi", etc. types followed by a simple managed solution. – ispiro Aug 24 '14 at 19:58
-
@PeterRitchie That it hasn't been replaced by some other code. – ispiro Aug 24 '14 at 19:59
-
1from: http://msdn.microsoft.com/en-us/library/wd40t7ad(v=vs.110).aspx : "Do not rely on strong names for security. They provide a unique identity only." i.e. it ensures you load the *right* assembly, not a verified assembly. – Peter Ritchie Aug 24 '14 at 20:02
-
@PeterRitchie Thanks. Do you know why? After all, signing with a private key should be secure. Not so? (I'd like to verify a code signing certificate, even without any web-access - assuming the public key is still correct. But I haven't found a managed way to do that either.) – ispiro Aug 24 '14 at 20:04
-
if you want to verify the source of an executable, it's recommended to use Authenticode. – Peter Ritchie Aug 24 '14 at 20:18
-
@PeterRitchie As in my previous comment - I'd _like_ to do that. But I don't know how to verify that programmatically. Besides, as long as the private key hasn't leaked - I can't find a reason why _not_ to trust strong naming. Thanks again for all your input, though. – ispiro Aug 24 '14 at 20:21