search

Excel-DNA / ExcelDna

Excel-DNA - Free and easy .NET for Excel. This repository contains the core Excel-DNA library.
https://excel-dna.net
zlib License
1.26k stars 272 forks source link

Sign our NuGet packages before submitting to nuget.org #198

Open augustoproiete opened 6 years ago

augustoproiete commented 6 years ago

Today, NuGet introduced the concept of signed package submissions, giving us the ability for package authors to sign packages.

Issue #197 is already a good step towards package authenticity, and the concept of signing packages goes even further.

Opening this issue to start the discussion, as there might be costs involved in obtaining a code signing certificate that is trusted by nuget.org, which is one of the requirements.

Benefits of signing packages

As we described in our original blog post, we have two primary goals to accomplish:

  • Package Integrity: We want to ensure the package contents have not been modified from the time the package was authored to when a developer downloads it for use in their projects. We also recognize that users copy packages from NuGet.org to multiple locations (such as setting up mirrors or copying them locally) and we want to ensure that such packages have not been modified before consumption.

  • Package Authenticity: We’ve heard from the community that it is often difficult to determine the origin of a package. In a previous blog post, we proposed some resolutions to the problem such as the ability for users to reserve package ID prefixes on NuGet.org. As we called out in that blog post, the next logical step is to address package signing. This will strengthen our package identity solution to provide authenticity on packages across multiple feeds.

Compatibility:

A signed NuGet package is designed to be fully compatible with pre-existing NuGet servers and clients. Only newer versions of NuGet clients will take advantage of validating package signatures. We added this capability to Visual Studio 2017 15.6.

govert commented 6 years ago

I think that would be fine, but not something I'm likely to pay much attention to myself.

augustoproiete commented 5 years ago

Interesting read on this topic: Why NuGet Package Signing Is Not (Yet) for Me

9swampy commented 1 year ago

A necromancing Devils Advocate afterthought re anti-virus false positives... still "not (yet)"? Full disclosure; havn't read the links or researched yet...