So, for work I am developing an entire framework completely written in C#, though with the way it is written, I support the loading of DLLs written in any .NET 4 language (VB.Net, C++.Net, etc). The way it is written would be similar to Android, or iOS in such that people (customers) can create their own modules (dlls) and publish them in a market, download modules, etc, etc.
The way it is written is that I have a framework of DLLs which hold 90% of the functions, loading addons, network connection clsses, basically things that modules can have access to without having to re-write an entire class to support it each time. This also allows for me to update 1 DLL and have the change reflect on all modules that reference it.
There is then a base program which generates instances of classes, and provides the graphical interface for modules to be loaded into. What I want to do, is more or less verify the framework DLL's and verify the modules that I have written, as I include an Author as part of the module, I need to ensure that the Author is who the program says it is. Modules are fully controlled by the server so I am not worried about copying DLL files, though I would like to add in some form of protection to them. I am considering having random bytes throughout the DLL hold parts of the registered serial when the module is downloaded from the server.
So, in essence my question is two parts, I have searched on google but couldn't find anything related to what I want.
Part 1. A way to read a digital signature on the framework DLL files to validate the Authenticity of them, if this is not possible, then lump it with part 2.
Part 2. A way to protect / link DLLs to a specific registered copy of the core program. As the modules themselves aren't licensed, I need to figure out a way to sign them (however I would need a way to check the signature programatically), or have them be checked for
b) The core they are linked to when downloaded (to prevent copying). As I say it is server controlled, but cut the internet connection and there is no way to validate. Due to the nature of the market this is for, not everyone has an active internet connection, and those that do can be veyr tightly controlled, so a pure internet requirement is not possible.