Strong named assembly #135
Comments
|
I don't have any experience with that, but know what it is about and open to the idea. |
|
FYI. I am away all this week and will not be able to follow up before next week. |
|
Do you want to pursue this and add a PR? I don't have much time to put into this project these days unfortunately. |
|
As I thought, there is a lot of debate on whether to strong name sign open source nuget libs. octokit/octokit.net#405 (comment) Based on these, I am inclined to NOT sign Units.NET. Open to discuss, naturally. |
|
I understand your hesitancy in strong-naming, but what has me quite confused is that it appears you have a certificate in each of the source projects, and are essentially strong-naming the source, but not the NuGet package. I would think this should be done the other way around: don't strong-name the source, so that other developers can build without having the certificate problems, but strong-name the NuGet package so that those who don't need to compile the source can simply use the NuGet package in their own strongly named solutions. |
|
Oops - ignore that cryptic reference to how you've already strongly named the source. I was looking at my fork. Still, the point remains. I agree - don't sign the source. However, please sign the NuGet so that people can use it without having to compile it. :-) |
|
@bplett I'm not sure I follow. what do you mean by signing the nuget but not signing the projects? Is this what you are referring to? |
|
I think the subject has been discussed enough in the threads you mention. I just happen to be on the side that would like to see the NuGet packages signed. I believe the biggest reason for not signing the projects is because of the hassle when people are working with the source and compiling it themselves. I'm suggesting that you could just sign the NuGet packages when you publish them and that would solve the problem for all the people who want to use the NuGet package even with strong naming in place. The way it is now, I want to use the NuGet package but can't. I have to keep a copy of the source and recompile it JUST to get the strong-naming in place. |
|
@WGVDNSoftware I absolutely get your point of view, but from what I've read of the discussions there seems to be a consensus in open source to not do strong name signing - even if it is trivial to do so. I can only refer to the discussions for the arguments, as I do not really have any experience with this myself. |
|
@anjdreas I am in a similar situation to WGVDVSoftware. I must respectfully disagree with the conclusion that you came to regarding strong naming open source projects, the information is dated. I have successfully deployed strong named open source projects, without compromising the key file. I have a great deal of experience in this arena, and I am willing to give you a detailed explanation by email, voice, and even team with you to get this done. |
|
It really would be GREAT if we could use the NuGets directly rather than signing our own just for the sake of strong-naming. :-) |
|
Btw, it would also give us more incentive to contribute to the project rather than just keep our own changes since we have to keep a local copy anyway. |
|
@jecaruthersjr I am all ears, please put forward your arguments and also please explain why the debate in the links are outdated. I don't have any experience with consuming or creating strongly signed libs, nuget or otherwise. But I did link to quite extensive debates on repos of largely popular nugets, and the consensus at that time seemed clearly towards not strong naming the open source nugets. My conclusion was solely based on their conclusion as I did not have any new info to add to the conversation. |
|
I want to start by trying to clear up and correct some of what was being said in the comments of this thread as well as the comments you referenced. If any of this information is stuff you already know, I apologize now, I have tried to compartmentalize the information so it can be easily skipped, after which I will then propose my solution. First, people have made the assertion that strong-named assemblies have nothing to do with security. That is categorically false, they are digitally signed, which has everything to do with security. What is a Digital Signature? Do Strong-named Assemblies use Digital Signatures? How Do Public Key Cryptography Digital Signatures Work with Assemblies?
That being said, I’m am completely uninterested in getting into an argument or even a discussion for that matter, based on the opinions whether this type of security is secure, how much security this affords someone, or whether people should be strong-naming their assemblies, open-source or otherwise, when the only fact that matters is that Microsoft requires all assemblies to be strong named that will:
The bottom line is, right or wrong, a lot of environments, including mine, require that assemblies are loaded into the GAC, and yes, I am also fully aware of the workarounds, ILMerge, rebuilding source with our own keys, etc. These alternatives make using things like NuGet to upgrade referenced assemblies and build automation very difficult. I’ve also heard you can use hammers to drive screws, it just seems smarter to use a drill. Another reference made was to someone complaining about new contributors becoming demotivated by having to fight to get strong-named Visual Studio projects to build, this can easily be circumvented using project build variables (www.visualstudio.com/en-us/docs/build/define/variables) to define when to use strong-naming and when not to. Furthermore, a bit of advice to anyone reading this, take it from a software engineer who knows; if fighting with a project that is not building demotivates you, I suggest getting the hell out of the software development business immediately, this isn’t for you. Solution:
I skimmed over the solution on purpose. I figured you might already be bored and/or uninterested. If you are interested, and if you would like me to elaborate on one or all of the steps. Let me know, I would be happy to. Edit: I may not have been clear about what code will actually need to change. The only changes are a few lines in the csproj file, and no extra files will need to be added either, you will store the required .snk file on the build server. -John |
|
@jecaruthersjr I've created a draft PR for strong name signing. It seems to work, the files appear as signed and nuget updates work in the two apps I tried it in. The only thing preventing me from pulling the trigger on this are a couple of concerns I still am not sure about, maybe you can provide some insight:
|
|
@anjdreas Let me try to help out with some of these things. Number 1 Number 2 Number 3 That being said, to accomplish this I recommend, first adding Boolean build variables to the project files to isolate the strong naming properties; true, meaning strong named, and false meaning weak named, and second create 2 paths through your build server definition: First path (weak named)
Then Package and Publish both NuGet packages. Let me know if this helped, and/or need any other help. |
|
@tongbong @jecaruthersjr @bplett @WGVDNSoftware UnitsNet.Signed 3.48.1 nuget is now out and will follow the core lib versioning from now on. |
|
If you also need the JsonSerializer and/or WinRT nugets signed, let me know. I don't add them right away because both of them are kind of niche/experimental. |
|
Thank you. |
|
Heads up on strong name signing key now being published and also changed to a new key: |
One of our client only integrate strong named assemblies...
https://msdn.microsoft.com/en-us/library/wd40t7ad%28v=vs.110%29.aspx
It seams easy to do:
https://msdn.microsoft.com/en-us/library/xc31ft41%28v=vs.110%29.aspx
Any thought about this?
The text was updated successfully, but these errors were encountered: