Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

please add digital signature to the dlls in the Tomlyn nuget package #71

Open
golden-aries opened this issue Sep 8, 2023 · 5 comments
Labels
question Further information is requested

Comments

@golden-aries
Copy link

Hello Alexandre, thank you for sharing your code!
It would be very nice if the dlls in your nuget package were digitally signed.

There are guys out there who can help with signing open source projects dlls without charges.
Here is a link:
SignPath for Open Source projects

I learn about them while exploring Kirill Osenkov's MSBuildStructuredLog. His MsBuildStructuredLog application is digitally signed with a help of a SignPath.
Here are links:
Add mention about SignPath Foundation and free code certificate in Readme.md #681
Thanks to []https://signpath.io/ for generously providing a certificate to sign the installer.
KirillOsenkov/MSBuildStructuredLog

@xoofx xoofx added the question Further information is requested label Sep 8, 2023
@xoofx
Copy link
Owner

xoofx commented Sep 8, 2023

It would be very nice if the dlls in your nuget package were digitally signed.
I learn about them while exploring Kirill Osenkov's MSBuildStructuredLog. His MsBuildStructuredLog application is digitally signed with a help of a SignPath.

For an application (and installer), I understand the value, but for DLL in NuGet packages, what is really the value? Who is doing that today in the OSS space (except big corp like Microsoft)?

In general, I'm against digital signing. But even, If I was relying on SignPath, and they remove their free support for OSS, that would cause me problem. Similarly, these certificates are usually time bounded and I would have to handle that. I would also have to change dotnet-releaser to take that into account...etc.

Lots of trouble for little value.

@lilith
Copy link
Contributor

lilith commented Jan 31, 2024

I don't sign my assemblies and they're used widely in massive enterprises. Signing changes assembly version compatibility rules (on .NET framework) and adds startup latency. Microsoft says "Strong naming has no benefits on .NET Core/5+. ". https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming

@lilith
Copy link
Contributor

lilith commented Jan 31, 2024

Do not rely on strong names for security. They provide a unique identity only. -> https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named?source=recommendations

@lilith
Copy link
Contributor

lilith commented Feb 1, 2024

Tomlyn.Signed exists as a nuget package already, and is part of the automatic release system: https://www.nuget.org/packages/Tomlyn.Signed

@golden-aries Have you tried that package?

@golden-aries
Copy link
Author

Yes. Thank you lilith. I am already using Tomlyn.Signed more than a year already.

	  <PackageReference Include="Scriban" Version="5.12.1" />
	  <PackageReference Include="Tomlyn.Signed" Version="0.18.0" />

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants