开发者

C#, MEF - Sign trusted plugins for abuse reduction

开发者 https://www.devze.com 2022-12-29 23:02 出处:网络
I have a program that is extendable by plugins using the Microsoft Extensibility Framework. But i dont want untrusted 开发者_如何学Gosources to give out plugins that may be insecure.

I have a program that is extendable by plugins using the Microsoft Extensibility Framework. But i dont want untrusted 开发者_如何学Gosources to give out plugins that may be insecure. So i want to sign the plugins (maybe with Visual Studio's built in signing) and check if the plugins are trustworthy at program start.

I didn't find a way to check DLL signing from inside C#. And also there is the problem, that I load the plugins with a DirectoryCatalog. There is no way to tell, which plugin is from which file. Anyone knows a way to do this?

Thanks for any help, Marks


You won't be able to use the DirectoryCatalog. You will need to filter the assemblies yourself based on whether they are signed correctly. You can iterate through the files in a directory, and call AssemblyName.GetAssemblyName for each one. Then look at the KeyPair property of the AssemblyName to determine whether the assembly is signed with a key you trust. If it is, then create an AssemblyCatalog for that class and add it to an AggregateCatalog which you will pass to the container.

Here is a blog post with an example of how to do this: How To Control Who Can Write Extensions For Your MEF Application

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号