-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
please add digital signature to the dlls in the Tomlyn nuget package #71
Comments
For an application (and installer), I understand the value, but for DLL in NuGet packages, what is really the value? Who is doing that today in the OSS space (except big corp like Microsoft)? In general, I'm against digital signing. But even, If I was relying on SignPath, and they remove their free support for OSS, that would cause me problem. Similarly, these certificates are usually time bounded and I would have to handle that. I would also have to change dotnet-releaser to take that into account...etc. Lots of trouble for little value. |
I don't sign my assemblies and they're used widely in massive enterprises. Signing changes assembly version compatibility rules (on .NET framework) and adds startup latency. Microsoft says "Strong naming has no benefits on .NET Core/5+. ". https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming |
Do not rely on strong names for security. They provide a unique identity only. -> https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named?source=recommendations |
@golden-aries Have you tried that package? |
Yes. Thank you lilith. I am already using Tomlyn.Signed more than a year already. <PackageReference Include="Scriban" Version="5.12.1" />
<PackageReference Include="Tomlyn.Signed" Version="0.18.0" /> |
Hello Alexandre, thank you for sharing your code!
It would be very nice if the dlls in your nuget package were digitally signed.
There are guys out there who can help with signing open source projects dlls without charges.
Here is a link:
SignPath for Open Source projects
I learn about them while exploring Kirill Osenkov's MSBuildStructuredLog. His MsBuildStructuredLog application is digitally signed with a help of a SignPath.
Here are links:
Add mention about SignPath Foundation and free code certificate in Readme.md #681
Thanks to []https://signpath.io/ for generously providing a certificate to sign the installer.
KirillOsenkov/MSBuildStructuredLog
The text was updated successfully, but these errors were encountered: