search

yck1509 / ConfuserEx

An open-source, free protector for .NET applications
http://yck1509.github.io/ConfuserEx/
Other
3.55k stars 1.62k forks source link

Confuscating signed assemblies #7

Closed maeni70 closed 10 years ago

maeni70 commented 10 years ago

Hello I am not sure, if this is the right place to ask questions, but I don't know where to ask elsewhere. Often assemblies need to be signed (with strong name) - for example when implementing own ProtectedConfigurationProvider for protecting sections in application configs. How can this be achieved when using this confuscator? Thanks in advance, Roger

yck1509 commented 10 years ago

You could add a snKey attribute on the module element. For example:

maeni70 commented 10 years ago

Thanks! I guess you wanted to paste an example?

yck1509 commented 10 years ago

For some reasons it doesn't show up... :P I'll post it again: <module path="App.exe" snKey="C:\pathToKey.snk" />

maeni70 commented 10 years ago

Obfuscated assemblies cannot be used for debugging. But corresponding assembly still needs to be signed in debug configuration. So, I did it a little bit differently.

I have created key pair with strong name signing tool from Windows SDK, extracted public key from this file and used it for delayed signing (can be set in signing section of project properties).

Commands for creating key files:

sn -k myKeyPair.snk
sn -p myKeyPair.snk publicKey.snk

In post-build event I was adding following logic:

REM Obfuscate (for release only)
if "Release"=="$(ConfigurationName)" (
   cd "$(ProjectDir)\..\Tools\ConfuserEx"
   Confuser.CLI.exe "$(TargetDir)\ConfuserPrj.xml"
   copy "$(TargetDir)\Confused\*" "$(TargetDir)" )

REM Re-sign assembly (delayed)
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0a\Bin\x64\sn.exe" -R "$(TargetDir)\IrisProtectedConfigurationProvider.dll" "$(ProjectDir)\myKeyPair.snk"

Obfuscation only takes place when in release configuration - and this must occur before assembly gets finally signed (for release & debug configuration).

There could be easier ways to achieve same result, but this worked for me. I am open for easier solutions. ;-)

yck1509 commented 10 years ago

Sorry I don't quite understand why you have to do this. ConfuserEx has the ability to resign the assembly given the *.snk file. So you could just keep setting the strong name key in VS and skip obfuscation process in Debug configuration. For Release configuration, invoke Confuser.CLI with snKey attribute set and it'll resign it.

maeni70 commented 10 years ago

Thanks. For me it was not clear that ConfuserEx can re-sign a delayed signing.

But basically I am doing the same thing (if release then obfuscate) - the only difference is that re-signing is called specifically by using sn.exe. Usually you would have to skip verification for delayed signed assembly in dev environment (with parameter -Vk of sn.exe tool), but debug version should also run on other internal test machines (you would have to skip verification for this assembly on these machines too - it's special registry entry).

Or would it also work without delayed signing (using "normal" approach for signing in VS)? As I understand assembly would get signed with strong name (this happens during build), but obfuscation (after build) would lead to invalid signing as it changes content.