Is it possible to substitute a strong-named assembly by one signed with a different key?

Question

We are about to implement a licensing algorithm in a strong-named .NET assembly that is referenced by other components of the application. Of course, we want to minimize the risk that someone exchanges the assembly that contains the license check and by that unlocks application functions.

As far as I know, you can redirect an assembly to a different version (either by a publisher policy or in the application config file). But I haven't found a way to redirect to an assembly that has another name or was signed with a different key.

Are there other ways to influence assembly binding so that an assembly that was signed with a different key is used? If there are, how high is the effort that is needed to bypass this algorithm?

Answer 1

No, it is not possible to redirect to a different Assembly Version. Different Name or Strong name is not possible with assembly redirects.

It is possible to circumvent this. A technical but simple way is to simply disassemble all the strong named assemblies and recompile them without the strong name. This is easy by using ildasm and ilasm or with a PE editor. See here and here. And while you decompiled it, why not also remove any license checks? Obfuscators won't help unless they are able to prevent decompilation. Another way, already mentioned, might be to use the public key to delay sign the new assembly and turn off assembly verification. Or since assemblies in the GAC are only verified during installation you could replace an existing assembly in the GAC. The last two do require administrative rights.