search

DapperLib / Dapper

Dapper - a simple object mapper for .Net
https://www.learndapper.com/
Other
17.57k stars 3.68k forks source link

Digitally sign Dapper assemblies #2014

Closed omedusb closed 11 months ago

omedusb commented 11 months ago

Our project requires digitally signed DLLs. Dapper.dll is not digitally signed. There is a strongly signed Dapper.StrongName.dll, but that do not satisfy our requirement to ensure integrity and authenticity of an assembly.

Are there any plans for Dapper assembly be digitally signed?

mgravell commented 11 months ago

Short version: unlikely, and definitely not unless someone wants to sponsor the time, effort and overheads involved. Plus we'd need to investigate whether that makes it an identity-breaking release, in which case: probably a hard no unless we do a "major" (V3)

Digitally signing (as distinct to strong naming) is pretty rare for 3rd-party OSS libs, and would involve a lot of key management overheads (they need to be refreshed depressingly frequently these days), which has both time and monetary cost. When we're giving a library away for free, the baseline expectation is that it doesn't actively hurt us, the maintainers :)

Can I ask: what is the motivation behind this requirement? It isn't a high demand thing, and I will note that for most internal purposes you could always clone it, build it yourselves, and sign it with your own internally trusted certificate. The library is actively used by a huge range of consumers including Microsoft, and they haven't historically demanded this.

omedusb commented 11 months ago

The motivation behind this are cybersecurity requirements to ensure that assembly has not been tampered with. And using an 3rd party assembly not signed by the author considered a risk.

mgravell commented 11 months ago

Ok. That sounds like a business scenario - compliance, etc. I'm not philosophically opposed to code-signing the package, but: obtaining and maintaining code-signing capability has both initial and ongoing overhead to me - plus the impact on CI and deployment scenarios (obviously we can't simply hand our keys to our existing automated CI cloud) . It is not my intention to actively subsidise businesses. If you're serious about wanting this, I'd be open to discussing some terms that doesn't leave Dapper/myself in the red. But if this is a "is this a thing Dapper is simply going to do for gratis?": probably not, no.

mgravell commented 11 months ago

Happy to discuss more if someone wants to sponsor this, but this isn't something the library (meaning: me) can commit to funding itself (meaning: myself).