adxloader.dll.manifest not signed

Add-in Express™ Support Service
That's what is more important than anything else

adxloader.dll.manifest not signed
 
OliverM




Posts: 194
Joined: 2015-08-13
You are right, the manifest contains the signature element but what I am talking about is signing the manifest itself, like it is done with loader libs and the add-in lib.
Kind regards
Oliver
Posted 20 Feb, 2018 07:35:02 Top
Andrei Smolin


Add-in Express team


Posts: 15094
Joined: 2006-05-11
Hello Oliver,

The manifest is not a binary file and it doesn't have a PE header.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 20 Feb, 2018 08:24:43 Top
OliverM




Posts: 194
Joined: 2015-08-13
I see. I thought that if a ClickOnce manifest can be signed the adxloader.dll.manifest can be too.

But this leads to the next question. If the manifest can not be secured and somebody would hack my add-in dll by removing the digital signature first and then tampering it in some way. He would then also remove the signature part from the manifest.

Will the hacked add-in then be loaded? I am afraid it would...
Kind regards
Oliver
Posted 20 Feb, 2018 08:57:31 Top
OliverM




Posts: 194
Joined: 2015-08-13
What also confuses me regarding deployment manifest signing is this link
Kind regards
Oliver
Posted 20 Feb, 2018 09:04:16 Top
Andrei Smolin


Add-in Express team


Posts: 15094
Joined: 2006-05-11
Oliver,

OliverM writes:
If the manifest can not be secured and somebody would hack my add-in dll by removing the digital signature first and then tampering it in some way. He would then also remove the signature part from the manifest.


Your add-in only loads if the loader, manifest, and add-in assembly are signed using the same key. It isn't possible to delete the signature from the manifest so that the add-in still loads.

OliverM writes:
What also confuses me regarding deployment manifest signing is this link


Please explain.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 20 Feb, 2018 09:38:13 Top
OliverM




Posts: 194
Joined: 2015-08-13
It is not exactly clear to me what technically happens when the deployment manifest is signed. Does it mean they add the signature node to the manifest xml, like it is done when the loader manifest is signed?
Kind regards
Oliver
Posted 22 Feb, 2018 04:32:05 Top
Andrei Smolin


Add-in Express team


Posts: 15094
Joined: 2006-05-11
Hello Oliver,

Correct. They add the Signature node to the manifest.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 22 Feb, 2018 05:09:25 Top
OliverM




Posts: 194
Joined: 2015-08-13
Hi Andrei,

Correct. They add the Signature node to the manifest.

Thank you for the clarification.

Your add-in only loads if the loader, manifest, and add-in assembly are signed using the same key. It isn't possible to delete the signature from the manifest so that the add-in still loads.


An attacker could theoretically remove my digital signatures from the add-in and loader libs and replace it with any other valid certificate. Would the attacker be able to update the signature node in the loader manifest as well? If so, the add-in would happily load, wouldn't it?
Kind regards
Oliver
Posted 22 Feb, 2018 05:57:31 Top
Andrei Smolin


Add-in Express team


Posts: 15094
Joined: 2006-05-11
Oliver,

That's the goal of using a digital certificate: although it is possible to do all the things above, this change will modify *your* add-in so that it won't be *yours* any longer. Your customer checks that an add-in is *yours* by looking in the signature created using *your* digital certificate. If the customer accepts only *your* add-ins (e.g. basing on internal policies) such an attack won't be successful.

See also https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85).

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 22 Feb, 2018 06:38:10 Top