CSharp/C#, Strong name assemblies patching problem

microsoft.public.dotnet.languages.csharp - General discussion regarding the C# .NET programming language. including best practices on developing with C# in VS, documentation, setup, and samples.


CSharp/C# >> Strong name assemblies patching problem

by twoj wladca » Sun, 18 Apr 2010 05:53:02 GMT

Hello all,

I got application that is based on strong name assemblies. I would like to
replace one of the assembly now (create a patch) at the client side. Let say
on the clients machine there is MyAssembly.dll V1.0.0.0 and I would like to
replace it with MyAssembly.dll V1.0.0.1. They are both signed with the same
snk key. All the others application binaires have references to
MyAssembly.dll V1.0.0.0. Now If I just replace the binary application will
fail with the 'reference does not match assembly manifest' error and that is
understandable because it was compiled with version v.1.0.0.0 and not
v.1.0.0.1. What is the correct way to replace that assembly?I do not want to
ship entire application again with just one new assembly (MyAssembly
V.1.0.0.1) and recompiled all other assemblies (to refresh their manifests).
I would like to create a patch with just one assembly

--
Regards!

Chris

Top

CSharp/C# >> Strong name assemblies patching problem

by Alberto Poblacion » Sun, 18 Apr 2010 15:02:30 GMT



If you want to replace the strong-named assembly, but you don't want to
replace the assembly that calls into it, you can use the application
configuration file (myApp.exe.config) to provide a "bindingRedirect" node
that determines the version replacemente.

<?xml version ="1.0"?>
<configuration>
<runtime>

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">

<dependentAssembly>
<assemblyIdentity name="myAssembly" culture=""
publicKeyToken="12345678etcetc"/>
<bindingRedirect oldVersion="1.0.0.0"
newVersion="1.0.0.1"/>

</dependentAssembly>
</assemblyBinding>

</runtime>
</configuration>
Top

CSharp/C# >> Strong name assemblies patching problem

by twoj wladca » Sun, 18 Apr 2010 20:21:52 GMT

Thank you, it works fine.

While changing strong name assemblies additional assembly binding is
required either in app, machine or publisher policy (GAC) config files. Do
you see any adventage of using publisher policy in GAC over app config file?
Somehow I like to idea of modifying app config more than messing with
client's global assembly cache.

Regards!

Utkownik "Alberto Poblacion"
< XXXX@XXXXX.COM > napisaw wiadomoi


>>> I got application that is based on strong name assemblies. I would like >>> to replace one of the assembly now (create a patch) at the client side. >>> Let say on the clients machine there is MyAssembly.dll V1.0.0.0 and I >>> would like to replace it with MyAssembly.dll V1.0.0.1. They are both >>> signed with the same snk key. All the others application binaires have >>> references to MyAssembly.dll V1.0.0.0. Now If I just replace the binary >>> application will fail with the 'reference does not match assembly >>> manifest' error and that is understandable because it was compiled with >>> version v.1.0.0.0 and not v.1.0.0.1. What is the correct way to replace >>> that assembly?I do not want to ship entire application again with just >>> one new assembly (MyAssembly V.1.0.0.1) and recompiled all other >>> assemblies (to refresh their manifests). I would like to create a patch >>> with just one assembly >> >> If you want to replace the strong-named assembly, but you don't want to >> replace the assembly that calls into it, you can use the application >> configuration file (myApp.exe.config) to provide a "bindingRedirect" node >> that determines the version replacemente. >> >>< >>< >>< >> >> < publicKeyToken="12345678etcetc">> >> < newVersion="1.0.0.1">> >> >> < >> < >> >>< >>< >>
Top

CSharp/C# >> Strong name assemblies patching problem

by Alberto Poblacion » Sun, 18 Apr 2010 22:33:43 GMT


Well, imagine the following situation: An Independent Sofwtare Vendor,
"VendorA", sells a DLL that is bought by hundreds of companies and
referenced from hundreds of programs developed by those companies. Those
programs are then sold to hundreds of thousands of customers who install
them on their computers.
One day, a critical security issue is detected in that assembly, so
VendorA prepares and updated version that they publish on their website so
that all clients using that DLL can get the problem fixed. However, just
downloading and copying that DLL is not enough. The client programs still
try to access the old version of the DLL. In order to fix this by means of
the app.config, all those hundreds of thousands of clients would have to be
instructed to edit their .config files (which may contain additional
configuration for their thousands of different .exe files, so it is not
possible to simply publish a "fixed" .config file to replace the existing
ones).
The solution is "publisher policy". A special assembly is prepared that
contains the bindingRedirect instructions. This publisher policy assembly is
signed with the same key that was used to produce the strong name for the
DLL that is being fixed. Then, VendorA prepares a Setup program that
installs both the DLL and the publisher policy to the GAC. Now, users only
neeed to download this setup program and run it on their computers. This
will fix the initial security issue on all the applications that might be
referencing the "fixed" DLL on each user's computer.
Top

CSharp/C# >> Strong name assemblies patching problem

by twoj wladca » Mon, 19 Apr 2010 14:05:33 GMT

Thank you for the explanation. In the senario you described it obviously
make sense. However, when there is just a single application using mentioned
dll and that dll needs to be replaced, I could provide patch that contains
'fixed' dll along with updated app config or 'fixed' dll along with updated
publisher policy file. Simply, I see the benefit of installing publisher
policy file if the dll is meant to be shared amongst applications, am I
right?

In my case, however
1) Do not want to share my libraries with any other programs
2) Do not want to install my libraries in the GAC (basicaly I would have to
install entire application because currenty I do not know which dlls I will
be replacing in the future)

One more question. Does the 'fixed' dll have to installed in the GAC to be
possible to redirect assembly binding by policy file? Or it might be any
assembly put anywhere on the file system?

Regards!
Top

CSharp/C# >> Strong name assemblies patching problem

by Alberto Poblacion » Mon, 19 Apr 2010 15:09:54 GMT


Yes, of course in such a case it doesn't make any sense to use the
publisher policy.


No, you don't need to install to the GAC. The bindingRedirect works
regardless of the location of the assembly.


The assembly can be located anywhere, on the condition that the binding
process is able to find it, regardless of whether you are redirecting the
version or not. This means that it can be in the same folder as the invoking
.exe, or in a subfolder named the same as the assembly, or in a subfolder
specified in the "probing privatePath" element in app.config, or in any
folder specified in the codeBase element (presuming that the assembly has a
Strong Name, which is true in your case; otherwise the codeBase would only
work for a subfolder under the .exe).
Top
Similar Threads

1. Strong Named Assemblies and Non Strong Named assemblies 

Hi All

I have a third party .net assembly that I do not have the code for and it 
also does not have a strong name.

I want to strongly name my assemblies but I keep getting an error saying 
that the 3rd party assembly is not signed.

I have had a look at the tlbimp.exe but this looks like it only works for 
ActiveX/COM componants, NOT .Net assemblies.(Unless I am typing in the wrong 
commands....keep getting error not a valid type library)

Is there some compile switch or something that will not check on this 3rd 
party dll for a strong name?

Thanks

David

2. Problem with signing assemblies using AL.exe (Strong name signing an unsigned assembly) - CSharp/C#

3. Strong Naming a Non-Strong Named assembly 

Hi,

Yes, you can sign it later using sn.exe provided you have the private key of
the public-private key pair.

Delay Signing is something related with module based development where
individual, small teams doesn't have access to the private key for that
organisation. So they sign the AssemblyKeyFile with the public key & set the
AssemblyDelaySign = true to enable to have room for the private key to be
hashed later. Later, the resulting assembly is re-signed using the private
key using the -R switch of sn.exe.

Regards
Joyjit

"Gururaj" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
> Hi,
>
> Is it possible to strong name an assembly (already existing third party
> assembly) which is not strong named and has been built with /delaysign-
> option.
>
> Basically my question is can one introduce a /delaysign+ attribute and use
> the sn.exe with "-R" option?
>
> Thanks,
> Gururaj

4. Strong-named assembly calling unsigned assembly: FileNotFound exception - CSharp/C#

5. Restricting access to Assembly.LoadFrom call within an assembly based on strong names 

Surya,

    You aren't going to be able to do this.  You are going to have to
implement a load mechanism yourself and then have all of your code go
through that mechanism.

    Hope this helps.


-- 
               - Nicholas Paldino [.NET/C# MVP]
               -  XXXX@XXXXX.COM 

"surya" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
> Hi,
>
> I use the Assembly.LoadFrom call in my code to load assemblies
dynamically.
> This call currently loads both signed and unsigned assemblies.
> It now needs to be changed to load only signed assemblies. Again only
those
> signed assemblies with known public keys need to be loaded.
> Is there an easy way to implement this?
>
> Regards
> Surya
>
>
>

6. Assembly generation failed -- Referenced assembly 'Interop.SHDocVw' does not have a strong name - CSharp/C#

7. hexedit assembly - snk, strong name, sing assembly question 

Hello

How can I ensure that a assembly (dll) is not manipulated (e.g.
hexeditor).

I thought that  sign the assembly (snk-File), this ensures.

I have tried the following.

1.
Create assembly Test.Dll with  AssemblyVersionAttribute("1.1.*") and
sign with Test.snk  (Property-Page and/or
AssemblyKeyFileAttribute(@"Test.snk")

2.
Create UseTest.Exe with reference to Test.Dll.

--> Now UseTest.Exe requires the desired Test.Dll,  ok

However, I can manipulate Test.dll (Hexeditor) an use it !!   e.g.
Class Test1 in Test.Dll

  public class Test1
    {
        public static void SayHallo()
        {
            System.Windows.Forms.MessageBox.Show("Hallo Peter");
        }
    }

Change text Hallo Peter with hexeditor to Hallo Qeter


Do I something wrong ?
or is signing not at all thought my problem ?

Is there built in mechanism to "checksum" a assembly

thank you
Peter

8. hexedit assembly - snk, strong name, sing assembly question - CSharp/C#