please add digital signature to the dlls in the Tomlyn nuget package #71
Comments
For an application (and installer), I understand the value, but for DLL in NuGet packages, what is really the value? Who is doing that today in the OSS space (except big corp like Microsoft)? In general, I'm against digital signing. But even, If I was relying on SignPath, and they remove their free support for OSS, that would cause me problem. Similarly, these certificates are usually time bounded and I would have to handle that. I would also have to change dotnet-releaser to take that into account...etc. Lots of trouble for little value. |
|
I don't sign my assemblies and they're used widely in massive enterprises. Signing changes assembly version compatibility rules (on .NET framework) and adds startup latency. Microsoft says "Strong naming has no benefits on .NET Core/5+. ". https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming |
|
Do not rely on strong names for security. They provide a unique identity only. -> https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named?source=recommendations |
|
@golden-aries Have you tried that package? |
|
Yes. Thank you lilith. I am already using Tomlyn.Signed more than a year already. <PackageReference Include="Scriban" Version="5.12.1" />
<PackageReference Include="Tomlyn.Signed" Version="0.18.0" /> |
|
Digital signatures != strong name signing. Digital signatures on assembly DLLs is handled by Authenticode signing with an X.509 certificate. It doesn't affect load performance unless loaders specifically validate the signature. By default, the one in .NET does not. That said, the only benefit in some environments is if AppLocker requires it. As a developer on WiX years back, we had to deal with this and sign our Windows Installer custom action DLLs within an MSI, then repackage and sign those. If no one is actually running into that problem with these DLLs, I wouldn't worry about. It's definitely a hassle. |
Hello Alexandre, thank you for sharing your code!
It would be very nice if the dlls in your nuget package were digitally signed.
There are guys out there who can help with signing open source projects dlls without charges.
Here is a link:
SignPath for Open Source projects
I learn about them while exploring Kirill Osenkov's MSBuildStructuredLog. His MsBuildStructuredLog application is digitally signed with a help of a SignPath.
Here are links:
Add mention about SignPath Foundation and free code certificate in Readme.md #681
Thanks to []https://signpath.io/ for generously providing a certificate to sign the installer.KirillOsenkov/MSBuildStructuredLog
The text was updated successfully, but these errors were encountered: