I have to develop a .NET C# application that supports plugins. I’ve found a lot of information on the internet and it doesn’t seem to be so hard.
I just have a specification that the Assemblies of the modules must be validated on the assembly level. When the late binding occurs and the assembly loads, the host application must be absolutely sure that:
- The Assembly wasn’t changed.
- The Assembly was indeed supplied
by the company.
I read that it is possible to sign the assembly using a key, but as far as I understood, this would only certify that the assembly wasn’t changed.
What must be done in order to be sure of the Assemblies authenticity?
Any help would be greatly appreciated.
Like I said in the comment, this has been asked before: Can strong naming an assembly be used to verify the assembly author?
This link gives an example of how to verify the public key against a known set of public keys: http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx but it’s kinda old, and I don’t know if there have been significant changes since then.
EDIT: I see that the SO answer suggests the same technique as the link to shawnfa’s blog above, so it probably still stands.