You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The implementation uses the assembly's hash algorithm id to choose which hash algorithm to use when hashing the public key. This is incorrect. public key tokens are always calculated using a SHA1 hash of the public key.
Details
Since SHA1 is the default, and it is pretty difficult to successfully create a non-SHA1 assembly, the current implementation almost always works.
You can see that SHA1 is always used. Recall that assembly references can capture a public key without the ability to capture a hash algorithm, so it must be calculatable without that. Also, publishers must be able to change the hash algorithm in future releases without changing an assembly's identity.
The text was updated successfully, but these errors were encountered:
Thank you for reporting this inconsistency. Note that there are two separate APIs that calculate hashes. The other API was always using SHA1. I just misinterpreted the assembly metadata fields when implementing the System.Reflection.Metadata-based API.
Steps to reproduce
ILSpy/ICSharpCode.Decompiler/Metadata/MetadataExtensions.cs
Lines 24 to 54 in 1370b99
Error message shown
The implementation uses the assembly's hash algorithm id to choose which hash algorithm to use when hashing the public key. This is incorrect. public key tokens are always calculated using a SHA1 hash of the public key.
Details
Since SHA1 is the default, and it is pretty difficult to successfully create a non-SHA1 assembly, the current implementation almost always works.
Here's a straightforward implementation from .NET itself: https://github.com/dotnet/runtime/blob/cc5f1df48e5e39a6fa5ab94ca4664aac3cc36898/src/libraries/System.Private.CoreLib/src/System/Reflection/AssemblyNameHelpers.StrongName.cs#L11C1-L33C10
You can see that SHA1 is always used. Recall that assembly references can capture a public key without the ability to capture a hash algorithm, so it must be calculatable without that. Also, publishers must be able to change the hash algorithm in future releases without changing an assembly's identity.
The text was updated successfully, but these errors were encountered: