I've started toying with the proper Dotfuscator project settings to give me a workable, yet relatively-secure-as-possible package for deploying to private beta testers and the Marketplace. A great starting point for this journey could be found here: http://weblogs.asp.net/bsimser/archive/2010/12/31/dotfuscator-deep-dive-with-wp7.aspx.
Before we start, my project includes a number of 3rd party controls like AppBarUtils, MVVMLight, Funq, and my favorite IrcDotNet (which is the source of this post). The instructions say to use your XAP file as input so we'll follow that. On the far right-hand side of the Input Files toolbar is Transform XAML/BAML resources in all assemblies. Click this to turn it off primarily to be thorough. I believe this affects MVVM because it tries to rename Xaml internals that are data bound. Follow the instructions on the Settings->Global Options screen to set Disable Control Flow and Disable Renaming to No to enable them.
Now click the Build Project toolbar button to build your project. If your XAP includes a signed assembly, you'll be greeted with the following message:
Warning: The strong named input assemblies (or assembly) <TempDirectory>IrcDotNet.dll were not resigned. You will need to sign these dotfuscated assemblies manually.
My first instinct was to go to the Settings->Signing screen, and enable Re-sign Strong Named Assemblies and point it to IrcDotNet.snk. If you do that you're met with a different message:
Running sn.exe /q /R <ConfigDirectory>IrcDotNet.dll <Location of>IrcDotNet.snk
Warning: Password protected Strong Name files are not supported
sn returned 1.
This is the end of the line as far as automation goes. The only recourse is to sign the assembly manually as the original warning states. If you do not resign this file before deployment, your app will not startup properly. Once code hits that signed assembly it simply will not function.
My first approach was to go to the Rename and Control Flow tabs and exclude every assembly other than my own. This produces the same result. Assemblies are reassembled regardless of whether or not any options are applied.
My preferred approach is to go to the Input tab, right click on each 3rd party assembly and click Exclude assembly from package. This has a lovely UI effect of removing everything from the screen and pausing while Dotfuscator works its magic. The added bonus? This happens every assembly. The bare minimum would be to only remove those signed assemblies but I took it all the way and removed all 3rd party dlls. These are all open source frameworks so obfuscating them isn't necessary.
Now click Build Project again and the app starts! Inspecting the result in IL Spy gives me a runtime error on decompile, meaning control flow is on and teh IP iz protectordez. My app also uses localization and Smart Obfuscation automatically disables renaming for my localization resources so no extra legwork is needed to exclude them.
In summary if you don't need to obfuscate 3rd party assemblies, simply exclude them from the Input tab rather than trying to exclude them in the individual obfuscation tabs. Ilasm is still ran on the assemblies which triggers the need to re-sign them.