Does StrongNameSignatureVerificationEx Cache Registry Lookup Results?


I received a question recently about my post on Checking for a Valid Strong Name Signature.  The person who was using the code I presented there to run some tests under NUnit.  The format of the tests was to use the Microsoft.Win32.Registry classes to set the skip verification list up, and then call StrongNameSignatureVerificationEx.  However, he found that this wasn’t working.

The reason behind this is that the CLR is free to cache any settings that it looks up in the registry and environment.  This could occur at any point from the time that the CLR is first spun up, to the point that you request the value of the setting.  In order to ensure that the settings you are creating are honored by the CLR, you need to kick off a new process.  So the NUnit tests should use the following algorithm:

  1. Set the appropriate registry keys with Microsoft.Win32.Registry
  2. Kick off another process that runs the actual test with System.Diagnostics.Process
  3. Wait for that process to exit, and have it tell you if the test passed or failed.  One way would be to read the ExitCode property of the process, another would be through a named pipe, or a shared file.
Comments (2)

  1. Regarding the original post, it would be far easier and probably more secure (i.e., harder to work around) if you used a StrongNameIdentityPermissionAttribute using the SecurityAction.InheritanceDemand. .NET CAS would enforce this rather well. All the application (i.e., the plugin container) would have to do is catch the SecurityException from trying to load the Type.

  2. Shawn says:

    True, however StrongNameIdentityPermission will only work after the assembly is loaded, since the CLR needs to have the assembly to assign it evidence. If you use StrongNameSignatureVerificationEx, you can check for a valid signature before ever loading the assembly, which could be important from a security standpoint.

    -Shawn