To sign or not to sign assemblies RRS feed

  • Question

  • I hope i'm in the right section of the forum, if not please do redirect me.

    I have an application that loads unreferenced assemblies, as modules, in separate domains (each module has it's own domain). The problem i encountered is that it works fine on my local computer, but once i package it and upload it on my website, anyone that downloads it will not be able to launch any module, myself included on my local computer.

    After a bit of research i discovered that the problem is that my main domain doesn't recognize the unreferenced assemblies as its own and refuses to load them. This can be solved by unblocking files on the computer they were downloaded at, but this is far from ideal.

    A bit more research revealed that if i sign my assemblies they will be recognized and the main domain will be able to load them. But, before doing that i was wondering what the consequences will be.

    The program was designed so third parties could create their own modules without having to get access to the source code of my program. If i begin signing them, wouldn't that remove the possibility of third parties creating and using their own modules with my program? What are the choices available in order to solve this problem?

    Tuesday, September 8, 2015 11:05 AM


All replies

  • Hi madks13,

    ->anyone that downloads it will not be able to launch any module

    Does there any error occurs? Could you please post the error message. Why don't you let your third parties add reference to the dlls first.

    Best Regards,
    Li Wang

    Wednesday, September 9, 2015 9:00 AM
  • Hi, i'm sorry i didn't reply faster, i was quite busy.

    For the error message, i got the same as described here :


    The solution for that question worked for me as well. However asking users to do this manipulation each time is not an ideal solution.

    As for the referencing, the part that doesn't have references is only the main program, this is done so it could load those assemblies as extensions. Meaning it is supposed to be able to download, install, load, unload, and update each extension without having to reboot the program itself. But third parties can reference any assembly they might need to work properly.

    Monday, September 14, 2015 9:08 AM
  • Hi Madks13,

    Not sure if I understand correctly. The problem that the loading does not work is becuase the files downloaded from the internet will be blocked, as you described. I see 2 possibilities:

    1. The 3rd party does not have this problem. If I downloaded your stuff and then wrote a plugin, the plugin itself does not come from the (untrusted) internet zone and therefore it should be loaded by your application.

    Idea number 2:

    Since you are NOT referencing the plugin assemblies (that is the idea) in you main project, you could just ask the 3rd party plugin creator to sign their plugin assembly. So the assembly is signed and (according to your explanations) should then be correctly loaded.

    Rgds MM

    PS: Please mark as answer if helpful. Thanks!
    Blog: http://www.manuelmeyer.net
    Twitter: https://twitter.com/manumeyer1

    Monday, September 14, 2015 12:20 PM
  • That is what should be happening...mostly. The 3rd party WOULD be able to launch my program and load the module, but the point is making it work for clients too, not only 3rd party developers. Which is not what is happening.

    However after writing the post, the following week end i tried signing my assemblies, and it still didn't work. It seems that as long as the files are marked as "blocked", the framework will refuse to load them, unless i lower the security settings on the project, which i will not do. That said, i just might be doing the signing wrong.

    But i would still like to get an answer to my question. Supposedly signing works, how will the 3rd party be able to sign their modules and be recognizable by my program?

    Also, in the case i remove signing, is there a proper way to avoid all the "blocked" mess?

    Monday, September 14, 2015 2:25 PM
  • Hm, regarding your 1st question:

    I guess, you could just iterate through a directory and use Assembly.LoadFile() on every file. Or you could let the 3rd party sign your assembly and then enter the (fully qualified) name into a config file where you can then use reflection to load an assembly by name.

    As for problem number 2, there seems to be a solution here:


    Rgds MM

    PS: Please mark as answer if helpful. Thanks!
    Blog: http://www.manuelmeyer.net
    Twitter: https://twitter.com/manumeyer1

    • Marked as answer by madks13 Thursday, September 17, 2015 8:30 AM
    Monday, September 14, 2015 3:27 PM
  • Well, i use Assembly.Load(), but i doubt the result would be different. From what i remember the only difference is that, contrary to Assembly.LoadFile(), Assembly.Load() tries to load all referenced assemblies of the provided assembly by using the reflection.

    As for letting the 3rd party sign my assembly...i'm not sure how to do that, but the aim was to not have a static list of assemblies my program will load, which is the result if i force 3rd parties to sign. This means that if someone wanted to make their own module for their personal use, they wouldn't be able to do so without contacting me about signing.

    About that link, i haven't seen that page before, but from the quick look i gave it, it does seem to have a solution i haven't seen before in my search. I will give it a proper reading when i have time to.

    Monday, September 14, 2015 4:20 PM
  • Finally had time to test the solution shown in the link given by Manuel Meyer, and it worked. Marked as answer too.
    Thursday, September 17, 2015 8:30 AM