search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.23k stars 2.34k forks source link

Digitally sign the OrchardCore Assembly #11613

Open ns8482e opened 2 years ago

ns8482e commented 2 years ago

Is your feature request related to a problem? Please describe.

Add digital signature for OrchardCore assembly

hishamco commented 2 years ago

Isn't signed?!!

ns8482e commented 2 years ago

The nuget package is but not dlls

ns8482e commented 2 years ago

this is how its for JSON.NET

image

Piedone commented 2 years ago

What benefits signing the DLLs bring?

ns8482e commented 2 years ago

Yes it's confusing as Microsoft doc says there is not material benefit for .NET 5+ but NET assemblies are signed for 5+

What benefits signing the DLLs bring?

For same reason as .NET assemblies are signed for - For the users who are digitally signing their assemblies - they can't use OrchardCore as it's not signed

https://github.com/dotnet/runtime/blob/main/docs/project/strong-name-signing.md#1-microsoft-strong-names-their-assemblies-should-i

Skrypt commented 2 years ago

But if you are using the source code of Orchard Core then you can easily sign these assemblies for yourself. If we sign them then everyone becomes dependent on the key owner.

sebastienros commented 2 years ago

I will understand this is issue as a request to delay sign the assemblies. Then I would say it's totally fine, let's create a snk file and add it to the repos, and add the AssemblySign property in the common csproj.

https://github.com/sebastienros/fluid/blob/main/Common.props#L35 https://github.com/sebastienros/fluid/blob/main/Fluid.snk

sebastienros commented 2 years ago

https://docs.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming#create-strong-named-net-libraries