Skip to main content
Version: 2026.1

4.11. Signing of Embedded Files

4.11.1.  Introduction

During its operation, Eazfuscator.NET may generate additional assemblies that are subsequently embedded into the main output assembly. At runtime, these assemblies are extracted and loaded when the corresponding content is requested. This occurs, for example, when using resource encryption.

By default, such embedded files are not signed, which is sufficient in most cases. However, in environments with strict application control policies, such as systems enforcing Windows Defender Application Control (WDAC), unsigned executable files may be blocked from loading. This is particularly relevant for class libraries, which may be deployed in environments with varying security restrictions.

4.11.2. Instructions

You can enable signing of embedded files by providing Eazfuscator.NET with an external signing command. This is typically implemented as an executable script that invokes a signing utility with the required parameters. The path to the signing script can be specified either via EAZFUSCATOR_NET_FILE_SIGNER environment variable or by using --file-signer option in the command-line interface of Eazfuscator.NET.

Note

Signing of embedded files is only applied to the assemblies generated by Eazfuscator.NET. It doesn't affect assemblies embedded with assemblies embedding feature.

4.11.3. Tuning

By default, Eazfuscator.NET uses a conservative approach, invoking the specified file signer once per assembly and ensuring that only a single signer process is active at any given time. You can change that by specifying file signer capabilities using EAZFUSCATOR_NET_FILE_SIGNER_CAPS environment variable or --file-signer-caps command-line option.

The list of supported capabilities is presented in the table below.

Table 4.13. The list of supported capabilities for a file signer

Capability

Description

multi

Allows passing multiple assemblies to the file signer in a single invocation. The file signer must support multiple input files provided as positional command-line arguments. If not specified, the file signer is invoked once per assembly.

parallel

Enables concurrent invocation of the file signer using multiple threads. The file signer must support parallel signing operations. If not specified, only a single file signer process is active at any given time.

You can specify multiple file signer capabilities separated by comma. For example: multi,parallel.

Tip

Providing the capabilities of a particular file signer can improve efficiency and performance.

4.11.4. Disabling

Signing of embedded files is automatically enabled when a signing command is [specified](#Signing of Embedded Files Instructions "4.11.2. Instructions").

In some cases, you may want to disable this behavior in your code. To do so, follow the instructions below.

How to disable signing of embedded files

  1. Open obfuscatable project inside the IDE

  2. Add new source file to the project and call it ObfuscationSettings.cs (for C#) or ObfuscationSettings.vb (for Visual Basic .NET). You may prefer to use another name instead of ObfuscationSettings.cs or ObfuscationSettings.vb

  3. Fill ObfuscationSettings.cs with the following content (C#):

    using System;
    using System.Reflection;

    [assembly: Obfuscation(Feature = "file signing", Exclude = true)]

    For Visual Basic .NET, fill ObfuscationSettings.vb with the following content:

    Imports System
    Imports System.Reflection

    <Assembly: Obfuscation(Feature:="file signing", Exclude:=True)>