比较两个程序集吗?公钥确保它们是使用相同的私钥签名的吗?
从我读过的其他问题和文章来看,听起来好像签名的程序集已被篡改,它的哈希值会有所不同,并且不会运行。如果这是真的,那么我可以得出这样的结论:如果未知程序集的公钥与已知程序集的公钥匹配,并且 .net 允许未知程序集运行,则未知程序集是使用相同的密钥文件进行签名的并且未被篡改和?
顺便说一句,我读了 这篇文章,但它询问的是签名的 MSI,听起来这可能与签名的 .net 程序集不同。
编辑:这是我的示例代码
static void Main(string[] args)
{
string unknownAppPath = args[0];
byte[] unknownKeyBytes = Assembly.LoadFile(unknownAppPath).GetName().GetPublicKey();
string unknownKeyStr = BitConverter.ToString(unknownKeyBytes);
Assembly asm = Assembly.GetExecutingAssembly();
AssemblyName aname = asm.GetName();
byte[] pubKey = aname.GetPublicKey();
string hexKeyStr = BitConverter.ToString(pubKey);
if (hexKeyStr == unknownKeyStr)
{
Console.WriteLine("Signed by same private key");
}
else
{
Console.WriteLine("Uknown signer!");
}
Console.ReadKey();
}
此外,我阅读了 这篇文章 它使用了更复杂的方法。我在文章中看到他谈到使用公钥令牌的缺点,但我不明白为什么不使用整个公钥。从到目前为止的答案来看,这听起来像是公钥的用途......那篇文章中的问题是您必须尝试运行程序集吗? (他说,“……但是如果不检查程序集是否通过验证,你就无法发现这一点。”)
From other questions and articles I've read, it sounds as if a signed assembly has been tampered with, it's hash will be different and it will not be run. If that's true, then can I conclude that if an unknown assemlbly's public key matches a known assembly's public key, and .net allows the unkown assembly to run, that the unkown assembly was signed with the same key file and that it has not been tampered with?
BTW, I read this article but it is asking about a signed MSI and it sounds like that may be a different case than a signed .net assembly.
Edit: here's my sample code
static void Main(string[] args)
{
string unknownAppPath = args[0];
byte[] unknownKeyBytes = Assembly.LoadFile(unknownAppPath).GetName().GetPublicKey();
string unknownKeyStr = BitConverter.ToString(unknownKeyBytes);
Assembly asm = Assembly.GetExecutingAssembly();
AssemblyName aname = asm.GetName();
byte[] pubKey = aname.GetPublicKey();
string hexKeyStr = BitConverter.ToString(pubKey);
if (hexKeyStr == unknownKeyStr)
{
Console.WriteLine("Signed by same private key");
}
else
{
Console.WriteLine("Uknown signer!");
}
Console.ReadKey();
}
Further, I read this article which uses a much more involved method. I see in the article that he talks about shortcomings of using public key tokens, but I don't see why not use the entire public key. From the answers so far, that sounds like that's what the public key is for... is the problem in that article that you'd have to try to run the assembly? (he says, "...but you'd be unable to discover this without checking to see if the assembly passes verification.")
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
是的;这就是公钥的工作原理。
您还需要确保该程序集不在验证跳过列表中;在 VS 命令提示符下运行
sn-Vl。Yes; that's how public keys work.
You'll also need to make sure that the assembly isn't in the verification skip list; run
sn-Vlin a VS command prompt.简单来说,公钥可以用来解密用私钥加密的数据。如果数据可以用不同的私钥加密,那么整个系统就会被破坏。这是公钥密码学的基本主张之一。
Simplified, the public key can be used to decrypt data encrypted with the private key. If data could be encrypted with a different private key, then the whole system would be broken. It's one of the fundamental assertions of public-key cryptography.
我不确定这是否回答了您的问题,但我在这里:您可以在引用中显式指定
PublicKeyToken,并且如果程序集的PublicKeyToken不匹配。我认为其他答案特定于公钥加密,我对您问题的理解是您询问 Fusion 如何处理
PublicKeyToken而不是公钥(程序集未加密)。I'm not sure if this answers you question, but here I go: You can explicitly specify a
PublicKeyTokenin your references, and Fusion (the .net assembly loader) will not load the assembly if the assembly'sPublicKeyTokendoes not match.I think the other answers are specific to public key encrpytion, where my understanding of your question is you're asking about how Fusion handles the
PublicKeyTokenrather than public keys (the assemblies are not encrypted).