I am working with a set of delay signed assemblies which I am able to install and load from GAC after skipping verification (sn -Vr * ...
Since Delaysigning as a process requires only the public key file
- sn -k keys.snk (both Public & Private keys)
- sn -p keys.snk pkey.snk (only public key)
- Add pkey.snk to project properties and check 'Delay Sign Only'
- sn -v (displays assembly is delay signed)
- sn -e (extract pkey)
- fc (no diff found)
I found that the first 160 bytes of the SNK file is the PKey... and rest 436 bytes represent private key.
While for development purposes sn-Vr or sn -R keys.snk (new public/private key pair to replace the one delay-signed with) should suffice, I'm curious to know if extracting the public key from an assembly and pairing it with your own private key would work...
This could be a potential security loop hole (as assemblies are looked up with public key tokens)... No wonder there's no built in tool in .Net framework / SDK that allows this.
Is there a place where the entire SNK file structure (file format) is documented? Can this approach, in general, work? What do you think?
You seem to be concerned that someone will generate a random keypair, replace the public key in the keypair with the public key from a different assembly, then sign their own assemblies to have that public key.
This will not work.
THe public key in a keypair is derived cryptographically from the private key, and the assembly is signed with a value that can only be computed using the correct private key.
Each private key will generate a different signature, and they're not interchangeable.
For more information, see here.