C #, MEF - Sign reliable plugins to reduce abuse

Question

C #, MEF - Sign reliable plugins to reduce abuse

I have a program that extends plugins using the Microsoft Extensibility Framework. But I do not want unreliable sources to produce plugins that may be unsafe. Therefore, I want to sign plugins (possibly with Visual Studio embedded in the signature) and check whether the plugins really trust when the program starts.

I did not find a way to verify the signing of the DLL inside C #. And also there is a problem that I am loading plugins with DirectoryCatalog. It is impossible to say which plugin is from which file. Does anyone know a way to do this?

Thanks for any help, Marks

+4

c # plugins mef signing

Marks May 10, '10 at 9:10

source share

1 answer

Daniel Plaisted · Accepted Answer · 2010-05-10T15:12:56+0000

You cannot use DirectoryCatalog. You will need to filter assemblies yourself based on whether they are properly signed. You can iterate over files in a directory and call AssemblyName.GetAssemblyName for each of them. Then, look at the KeyPair AssemblyName property to determine if the assembly is signed using a key that you trust. If so, create an AssemblyCatalog for this class and add it to the AggregateCatalog , which you will pass into the container.

Here's a blog post with an example of how to do this: How to control who can write extensions for your MEF application

C #, MEF - Sign reliable plugins to reduce abuse

More articles: