Hi I am trying to figure out how to make sure that a supplied DLL is the correct one. Reason is that our distributed solution is build of many small DLL's each containing certain portions of application and sometimes we roll out a new version of some of these.
Its not a "update problem", but merly - how do we check if:
its the correct binary/assemble
the customer/client had tampered with the file and perhaps replaced it with one of the same name with similar functions to return bad values?
Multiple reasons
This could be used for copyprotection/licens test or other important validation issues, so I'm trying to figure out if MD5 checksum + some sort of assemble info is enough? (if so, how to gain access to assembly details or similar?)
Ofcause nothing is failsafe, when you CAN decompile .NET DLL's, but exactly therefore we want to make sure that someone doesnt just decompile our functionlist and then writes there own replacement DLL of our "oooh so important" DLL's.
Our reason is the amount of trouble debugging/supporting needed, when we get customers who have destoryed these by error or purpose (we dont care about the reason, we just try to prevent most of the possible errors).
I see two options:
Digital signing. You need to buy a digital certificate, but once you make it work you can feel very confident about the origin of the file. If also has the advantage that your programs won't be marked as being from "an unknown publisher" in Windows Vista and higher.
Hashing. You could use a MD5 (or better a SHA-1) hash. Very easy to implement but is possible workaround the protection (although it's not trivial doing that).