Home All Groups Group Topic Archive Search About

debugging strongly named assemblies

microsoft.public.dotnet.framework
Author
9 Feb 2006 8:37 PM
William Sullivan
VS 2k5, .NET v2.0.50727

I'm working on a system that can use plugins via loading DLL's into an
appdomain.  I'm trying to nail down security as tight as possible.  To do
this, I've created a testbed with plugins that do bad things (violate code
access security, throw exceptions, etc).  Part of my security requirements is
that all plugins be signed (i.e., have strong names).  I'm concerned with
signing all these different plugins during the debug/testing phase.  I need
to sign them to test them fully, but I don't want them in the GAC.  I've
given them static version numbers, so I hopefully won't have fifteen hundred
different versions of the DLL's in the GAC.  Is that enough?  Are there any
other considerations when doing the edit-compile-sign-debug-repeat process? 
TIA.

Author
10 Feb 2006 11:13 AM
Dmytro Lapshyn [MVP]
Hi William,

Signing an assembly with a strong name does not require you to put the
assembly in the GAC. You can keep the plug-in assemblies in the same folder
as the main application, or in a sub-folder thereof. Giving the assemblies a
static version number is definitely a good idea. So you are all set for
debugging your testbed and the plug-ins.

What you should be concerned with is keeping your original strong name key
file secure. You can also consider delayed key signing if the company's
master strong name key is not available during your debugging process.

Show quote
"William Sullivan" <WilliamSulli***@discussions.microsoft.com> wrote in
message news:57DAA3A1-4FA8-4ECA-A928-7B653DF24D0F@microsoft.com...
> VS 2k5, .NET v2.0.50727
>
> I'm working on a system that can use plugins via loading DLL's into an
> appdomain.  I'm trying to nail down security as tight as possible.  To do
> this, I've created a testbed with plugins that do bad things (violate code
> access security, throw exceptions, etc).  Part of my security requirements
> is
> that all plugins be signed (i.e., have strong names).  I'm concerned with
> signing all these different plugins during the debug/testing phase.  I
> need
> to sign them to test them fully, but I don't want them in the GAC.  I've
> given them static version numbers, so I hopefully won't have fifteen
> hundred
> different versions of the DLL's in the GAC.  Is that enough?  Are there
> any
> other considerations when doing the edit-compile-sign-debug-repeat
> process?
> TIA.
Author
10 Feb 2006 1:49 PM
William Sullivan
That answers my question.  Thank you.

BTW, for the testbed, I'm not using my company's key pair.  I'm hoping that
once I have this written and working, I can distribute it to any clients who
wish to develop plugins...

Show quote
"Dmytro Lapshyn [MVP]" wrote:

> Hi William,
>
> Signing an assembly with a strong name does not require you to put the
> assembly in the GAC. You can keep the plug-in assemblies in the same folder
> as the main application, or in a sub-folder thereof. Giving the assemblies a
> static version number is definitely a good idea. So you are all set for
> debugging your testbed and the plug-ins.
>
> What you should be concerned with is keeping your original strong name key
> file secure. You can also consider delayed key signing if the company's
> master strong name key is not available during your debugging process.
>
> "William Sullivan" <WilliamSulli***@discussions.microsoft.com> wrote in
> message news:57DAA3A1-4FA8-4ECA-A928-7B653DF24D0F@microsoft.com...
> > VS 2k5, .NET v2.0.50727
> >
> > I'm working on a system that can use plugins via loading DLL's into an
> > appdomain.  I'm trying to nail down security as tight as possible.  To do
> > this, I've created a testbed with plugins that do bad things (violate code
> > access security, throw exceptions, etc).  Part of my security requirements
> > is
> > that all plugins be signed (i.e., have strong names).  I'm concerned with
> > signing all these different plugins during the debug/testing phase.  I
> > need
> > to sign them to test them fully, but I don't want them in the GAC.  I've
> > given them static version numbers, so I hopefully won't have fifteen
> > hundred
> > different versions of the DLL's in the GAC.  Is that enough?  Are there
> > any
> > other considerations when doing the edit-compile-sign-debug-repeat
> > process?
> > TIA.
>
>
>

AddThis Social Bookmark Button

Post Other interesting topics
Problem with synchronous Socket
FileSystemWatcher advice required please
Web Service / Authenticating Proxy .NET and COM interop
OOP Question - Implementation, I think
double discrepancy between PDA and PC