Bypassing the Authenticode Signature Check on Startup


A while back I wrote about the performance penalty of loading an assembly with an Authenticode signature.  The CLR will attempt to verify the signature at load time to generate Publisher evidence for the assembly.  However, by default most applications don’t need Publisher evidence.  Standard CAS policy does not rely on the PublisherMembershipCondition, so unless your application will run on a machine with custom CAS policy modifications, or is intending on satisfying demands for PublisherIdentityPermission (taking into mind that FullTrust means FullTrust in v2.0 of the framework), this is wasted startup cost that could be done without.

Obviously if you know your application doesn’t need the Publisher evidence, you won’t want to pay the cost of having the signature verified.  If you download the Orcas Beta 1 bits, you’ll be able to take advantage of a feature in the runtime that disables this signature verification.  Your application can now opt out of Authenticode signature verification; which will mean that time to load each assembly will improve (therefore leading to an improvement in startup time if your entry point assembly has an Authenticode signature).  The tradeoff of course is that assemblies will no longer receive Publisher evidence or PublisherIdentityPermission.  Applications which wish to take advantage of this can add the following line to their .exe.config file:

<configuration>
    <runtime>
        <generatePublisherEvidence enabled="false"/>
    </runtime>
</configuration>

Which will prevent the CLR from verifying the Authenticode signatures of any assembly loaded by the application. 

Comments (3)

  1. This setting was shipped in .Net 3.5.

    Does it work downlevel to .net 2.0 after 3.5 is installed? I think 3.5 is like a service pack for 2.0, but I'm not sure.

    I tried it and it seems to help (process monitor shows no CRL keys touched with this setting enabled=false), but I just want to make sure of it.

  2. I found this feature was backported to .Net 2.0 via hotfix

    support.microsoft.com/…/936707

    You can check the .Net file C:WindowsMicrosoft.NETFrameworkv2.0.50727MsCorWks.dll to make sure it is higher than the 876 revision (2.0.50727.876 or later)  if you are unsure the patch is installed.

    Therefore this workaround can work on .Net 2.0 apps as well. Just make an application.exe.config file in the same folder where your application.exe lives and paste in the text with notepad:

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

       <runtime>

    <generatePublisherEvidence enabled="false"/>

        </runtime>

    </configuration>