Assemblies returned from AppDomain.AssemblyResolve are checked for matching strong name #101029

reflectronic · 2024-04-14T19:33:20Z

Reproduction

Make a dummy project without strong-name signing:

<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <AssemblyName>Newtonsoft.Json</AssemblyName>
        <AssemblyVersion>15.0.0.0</AssemblyVersion>
    </PropertyGroup>

</Project>

namespace Newtonsoft.Json.Linq
{
    public class JArray
    {
        public JArray(params object[] values) { }

        public override string ToString() => "Surprise!";
    }
}

Then, the project to demonstrate the error:

<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <OutputType>Exe</OutputType>
    </PropertyGroup>

    <ItemGroup>
        <PackageReference Include="Newtonsoft.Json" Version="13.0.3" ExcludeAssets="runtime" />
        <!-- Change path to wherever you decide to put it... -->
        <None Include="../Newtonsoft.Json/bin/Debug/net8.0/Newtonsoft.Json.dll" CopyToOutputDirectory="PreserveNewest" />
    </ItemGroup>

</Project>

using System;
using System.Reflection;
using System.Runtime.CompilerServices;
using Newtonsoft.Json.Linq;

// #1
// Assembly.LoadFrom("Newtonsoft.Json.dll");

// #2
// AppDomain.CurrentDomain.AssemblyResolve += (_, _) =>
// {
//     return Assembly.LoadFrom("Newtonsoft.Json.dll");
// };

Run();

[MethodImpl(MethodImplOptions.NoInlining)]
void Run()
{
    Console.WriteLine(new JArray(1, 2, 3).ToString());
}

Run the project. It should fail with:

System.IO.FileNotFoundException: 'Could not load file or assembly 'Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'. The system cannot find the file specified.'

This is expected.

Uncomment the code labeled '#1'. The code should run with output:

Surprise!

This is also expected, since .NET Core should ignore strong names for the purpose of assembly binding.

Re-comment that code, and now uncomment the code labeled '#2'. The code will fail with:

System.IO.FileLoadException: 'Could not load file or assembly 'Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'. A strongly-named assembly is required. (0x80131044)'

This is not expected—the code should run successfully as it did in the previous example.

Commentary

This code in AppDomain::RaiseAssemblyResolveEvent seems suspicious:

runtime/src/coreclr/vm/appdomain.cpp

Lines 4533 to 4535 in fa1164c

    
           // Check that the public key token matches the one specified in the spec 
        
           // MatchPublicKeys throws as appropriate 
        
           pSpec->MatchPublicKeys(pAssembly);

The text was updated successfully, but these errors were encountered:

dotnet-policy-service · 2024-04-14T19:56:24Z

Tagging subscribers to this area: @vitek-karas, @agocke, @VSadov
See info in area-owners.md if you want to be subscribed.

… event This check was somehow missed during earlier cleanups that deleted strongname matching for assembly binding. Fixes dotnet#101029

… event (#101039) This check was somehow missed during earlier cleanups that deleted strongname matching for assembly binding. Fixes #101029

jkotas · 2024-04-16T06:15:16Z

Thank you for reporting this issue!

… event (dotnet#101039) This check was somehow missed during earlier cleanups that deleted strongname matching for assembly binding. Fixes dotnet#101029

dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Apr 14, 2024

dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Apr 14, 2024

jkotas added area-AssemblyLoader-coreclr and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Apr 14, 2024

github-project-automation bot added this to AppModel Apr 14, 2024

jkotas mentioned this issue Apr 15, 2024

Ignore strongname mismatch for assemblies returned by AssemblyResolve event #101039

Merged

jkotas closed this as completed in #101039 Apr 16, 2024

jkotas added a commit that referenced this issue Apr 16, 2024

Ignore strongname mismatch for assemblies returned by AssemblyResolve…

1b06075

… event (#101039) This check was somehow missed during earlier cleanups that deleted strongname matching for assembly binding. Fixes #101029

dotnet-policy-service bot removed the untriaged New issue has not been triaged by the area owner label Apr 16, 2024

github-actions bot locked and limited conversation to collaborators May 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Assemblies returned from AppDomain.AssemblyResolve are checked for matching strong name #101029

Assemblies returned from AppDomain.AssemblyResolve are checked for matching strong name #101029

reflectronic commented Apr 14, 2024

dotnet-policy-service bot commented Apr 14, 2024

jkotas commented Apr 16, 2024

Assemblies returned from AppDomain.AssemblyResolve are checked for matching strong name #101029

Assemblies returned from AppDomain.AssemblyResolve are checked for matching strong name #101029

Comments

reflectronic commented Apr 14, 2024

Reproduction

Commentary

dotnet-policy-service bot commented Apr 14, 2024

jkotas commented Apr 16, 2024