与特定的证书是如何编程验证程序集签名？ [英] How to programmatically verify an assembly is signed with a specific Certificate?

问题描述

我的情况是，我们有一个程序（EXE），如果在一个特定的文件夹中，将启动其他程序。我想，以确保它永远只启动这是我们企业证书签名的程序（威瑞信批准等）。从本质上讲那么它只会先从相同的证书本身的程序。我不想出货证书本身。

My scenario is we have one program (exe) that will start other programs if found in a particular folder. I want to ensure it only ever starts programs which are signed with our Corporate certificate (Verisign approved etc). Essentially then it will only start the programs with the same certificate as itself. I don't want to ship the certificate itself.

我一直在寻找网络和系统命名空间，还没有找到一个明显的例子是从文件读取证书数据，并验证它，可以检查对另一个文件。我发现的最接近的是Signtool并在一个单独的EXE具有这种验证是一种点以下。我知道强命名的东西不会帮助，因为一个数字签名的文件是不同的有益此处的说明(http://blog.codingoutloud.com/2010/03/13/three-ways-to-tell-whether-an-assembly-dl-is-strong-named/)此外，在示出的SO加密和验证的原始数据，但不其中它的打包在一起以某种方式装配其他一些例子

I've been searching the web and the system namespace and haven't found a clear example that reads the certificate data from a file and also validates it, and can check against another file. The closest I've found is Signtool and and having this verification in a separate exe is kind of point less. I know the Strong Naming stuff wont help because a digitally signed file is different as helpfully explained here (http://blog.codingoutloud.com/2010/03/13/three-ways-to-tell-whether-an-assembly-dl-is-strong-named/) Also some other examples in SO showing encryption and verification of raw data but not an assembly where it's packaged up together in some way.

任何意见或建议？

推荐答案

下面是一个博客帖子上如何验证程序集签名code样品：<​​BR> <一href="http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx">http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx

Here's a blog post with code samples on how to verify assembly signatures:
http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx

在最后的code示例显示了如何验证程序集是由微软或没有签字 - 您可以通过获得证书，令牌，为贵公司的证书（S）做同样的

The code sample at the end shows how to verify if an assembly was signed by Microsoft or not - you can do the same by getting the certificate token for your company's certificate(s).

更新：用户@Saber编辑用下面的更新，但该更新被别人拒绝。然而，这是非常有效的意见，所以我重新张贴他/她的编辑，因为SO不会让我批准它：

Update: user @Saber edited this with the following update, but that update was rejected by others. However, it is very valid advice, so I am reposting his/her edit since SO won't let me approve it:

编辑（谢谢你，OP）：如果你想要更安全地做到这一点（也就是使你的程序更加防篡改），参考在你的程序的组件，其强烈命名相关键，然后用引用的程序集的标记与调用组件的令牌进行比较。如果你使用一个字节数组（按链接），它可以简单的十六进制编辑和修改。的

这篇关于与特定的证书是如何编程验证程序集签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！