Address feedback: enforce Azure DLL public key token at bind time under STRONG_NAME_SIGNING#3983
Merged
paulmedynski merged 2 commits intodev/paul/verify-assembliesfrom Feb 25, 2026
Merged
Conversation
…_SIGNING Co-authored-by: paulmedynski <31868385+paulmedynski@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Update Azure DLL verification via public key token
Address feedback: enforce Azure DLL public key token at bind time under STRONG_NAME_SIGNING
Feb 25, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a security vulnerability in how the Azure extension assembly is loaded under strong-name signing. The previous approach in PR #3978 loaded the assembly by simple name first, then validated the public key token post-load. This created a window where a malicious assembly with the same simple name could execute module initializers before the validation occurred.
Changes:
- Moved public key token enforcement to bind time by calling
SetPublicKeyTokenbeforeAssembly.LoadunderSTRONG_NAME_SIGNING - Removed redundant post-load token validation block (18 lines)
- Leverages existing exception handling (
FileNotFoundExceptionis already caught) to handle token mismatch failures
paulmedynski
approved these changes
Feb 25, 2026
paulmedynski
merged commit 0245de5
into
dev/paul/verify-assemblies
6 of 10 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When
STRONG_NAME_SIGNINGis enabled, the previous approach loaded the Azure extension assembly by simple name first, then checked the public key token post-load. This meant a malicious assembly with the same simple name could execute module initializers before the check ran.Fix: Under
#if STRONG_NAME_SIGNING, build a fully-qualifiedAssemblyNamewith the expected public key token set viaSetPublicKeyTokenbefore callingAssembly.Load. The CLR then enforces the token at bind time — the wrong assembly is never loaded.Token mismatch or missing assembly causes
Assembly.Loadto throwFileNotFoundException, already handled by the existing catch block. The redundant post-load token check block has been removed.Without
STRONG_NAME_SIGNING, behavior is unchanged — simple name load as before.Issues
Addresses review feedback on #3978.
Testing
The existing exception handling covers the token-mismatch failure path (runtime throws
FileNotFoundExceptionon token mismatch, caught by the existing handler). No new automated tests added; the behavior underSTRONG_NAME_SIGNINGis exercised by the existing AKV provider load path in the build that enables signing.Guidelines
Please review the contribution guidelines before submitting a pull request:
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.