none
Signing and tamper protection RRS feed

  • Question

  • Tried to sign my .Net Core 3 application, that didn't protect against assembly tampering.

    Then I tried same with .Net 4.8 application, still no protection.
    So I found that this protection was disabled by default years ago (3.5 SP1).
    Then added the following to app.config (below configuration/runtime):
    <bypassTrustedAppStrongNames enabled="false" />
    And all seems to be good.

    How to disable the bypass for .net core app?

    Is there a better way of achieving same/similar protection?

    Friday, September 27, 2019 8:38 AM

All replies

  • Hi EuroEager, 

    Thank you for posting here.

    For strong name bypass in .NET Core, I hope the following references can help you.

    1. .NET Core Assemblies strong naming
    2. .NET Core - strong name assemblies

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, September 30, 2019 7:28 AM
    Moderator
  • Hi Xingyu Zhao

    I do not see that your reply actually answered any of my questions, could u please be a bit more specific?

    Monday, October 7, 2019 12:03 PM
  • I tried to make a simple .net core 3 console app  and published it, signed it with signtool.exe (using a selfsigned certificate for simplicity of testing the concept).

    Tampering the assembly (.dll) file after signing didn't prevent execution at all, it happily executed my tampered code.

    Do I misunderstand something fundamentally or is it because I used a selfsigned certificate?

    Tuesday, October 8, 2019 6:11 AM
  • Hi EuroEager, 

    Thanks for your feedback.

    Sign Tool is a command-line tool that digitally signs files, but digital signature is different from strong naming.

    What’s the Difference, Part Five: certificate signing vs strong naming

    All .NET Core assemblies are strong-named.

    Strong Name Signing

    The strong name process will avoid two common sources of potential security vulnerabilities in your programs:

    1. A malicious user replaces an assembly in your program with a different assembly with the same file name, but which contains malicious code, and convinces your program to load and execute it.
    2. A malicious user replaces an assembly in your program with a different version of the same assembly, but which has known bugs that have since been fixed.

    Besides,

    >> that didn't protect against assembly tampering.

    Do you want to find a way to protect against assembly tampering?

    The following reference may help you.

    Protect .NET code from reverse engineering?

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Wednesday, October 9, 2019 8:48 AM
    Moderator