Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strongly sign assemblies, for nuget package #178

Open
sbohmig opened this issue Jul 21, 2021 · 7 comments
Open

Strongly sign assemblies, for nuget package #178

sbohmig opened this issue Jul 21, 2021 · 7 comments

Comments

@sbohmig
Copy link

sbohmig commented Jul 21, 2021

Hello, would it be possible to strongly sign the nuget package assembly?
@nkreipke
Copy link

See #108. Im still maintaining my fork at https://www.nuget.org/packages/Sprache.Signed/.

@jzabroski
Copy link

You can just use StrongNamer nuget package to do this for you

@sbohmig
Copy link
Author

sbohmig commented Jul 21, 2021

Thank you very much, John.

Great to see a signed version does exists, how could I miss it... That is exactly what I needed.

The StrongNamer is interesting although we only need to sign selected assemblies and this adds extra config work.

Thanks again!

@jzabroski
Copy link

@sbohmig I think you're misunderstanding strong naming. If you have to strong name one unsigned reference in a project, you have to sign them all, or the DLL context won't load them. That's why you add https://github.com/dsplaisted/strongnamer as a PackageReference to your "entry point" DLL/csproj and it automatically signs ALL of these packages for you.

Caveat lector, if signing a DLL for purposes of COM component for things like Office plug-ins, then you probably want a stable key or a sophisticated component upgrade process.

@sbohmig
Copy link
Author

sbohmig commented Jul 22, 2021
edited
Loading

@jzabroski I believe I do understand. Sprache is the only unsigned assembly we need to upgrade. Replacing it with a signed version is the least effort, has zero impact on build processes and does not introduce more dependencies.

I only briefly looked at StrongNamer. I really like the idea but saw issues listed that would require spending us more time to evaluate: Debugging signed assemblies to mention one. The repository does not seem to be maintained since 2 years and issues remain unanswered. This makes any adoption a more lengthy process on our end. Using the "al" tool directly is an option too.

@jzabroski
Copy link

Understood - extra dependencies can cause increased time to solve problems. I'm mainly championing the approach because I think OSS devs should get out of the business of supporting strong naming altogether.

@denwanke
Copy link

denwanke commented Oct 4, 2021
edited
Loading

@jzabroski We use strong naming in our solutions to prevent tampering with sensible code parts like license checks. We'd love to use the "official" NuGet package but unfortunately we cannot. Using StrongNamer is not a real option to consider, it causes some troubles, especially in CI Builds. Why do you against signing your code to enable more users of your library? What is so bad with it? It does no harm... And BTW, Sprache is the only unsigned library we came across over the years. Pretty weird...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jzabroski @nkreipke @denwanke @sbohmig