Signing QuestPDF

[Aurelien-Dev]

I work on a PDF project for my employer in c# .net 4.8. All projects are signed by an snk file of the compagnie. That means I can only include signed nugets if I'm not mistaken (feel free to contradict me).

QuestPDF doesn't seem signed, when I use it I get an error message >

System.IO.FileLoadException: 'Could not load file or assembly' QuestPDF, 
Version=2022.12.1.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. A strongly-named assembly is required. (Exception from HRESULT: 0x80131044)'

I was about to rebuild source code to include my signed file, but i would like to know if you have any other solution about this before starting job

Thanks, have a great day

[MarcinZiabek]

I haven't investigated code signing yet. Would you please share results of your work? (e.g. via pull request) If this process is simple, I am open to integrate it to official release. Thank you 😁

[Urunokun]

I'm also interested in using QuestPDF with my signed project and I've also faced the above issue.

Signing the assembly via sign provider is not free (e.g. https://www.comodo.com/business-security/code-signing-certificates/code-signing.php) and thus cannot simply be done by outer contributor. But it will allow to use QuestPDF in a more wide range of projects.

So could you please maybe consider investigating this topic and release signed version of package?

Thank you!

[Aurelien-Dev]

I haven't investigated code signing yet. Would you please share results of your work? (e.g. via pull request) If this process is simple, I am open to integrate it to official release. Thank you 😁

Hello, I got the source code and I compiled with my company's certificate, it works fine. But if later the project decides to sign it, it would help to make the updates more regular. In the meantime, this is a solution that helps me out a lot.

You can see the post bellow, Urunokun mention about provider to signing assembly

[teebeast]

I was about to rebuild source code to include my signed file, but i would like to know if you have any other solution about this before starting job

We use Brutal Developer .NET Assembly Strong-Name Signer for sign the assemblies with our own .snk-File. Repackage it and use it from our own nuget-feed.

Creating an snk-File sn -k <YOUR SNK FILE NAME>.snk per Visual Studio command and copy the created file to the project folder.

Modify the project file:

  <PropertyGroup>
    <SignAssembly>true</SignAssembly>
    <AssemblyOriginatorKeyFile>[filename].snk</AssemblyOriginatorKeyFile>
  </PropertyGroup>

Now the assembly should have a strong name. It helps companies that uses their own assemblies with strong name. Like we do.

[borisdj]

This is Dupe of https://github.com/QuestPDF/QuestPDF/issues/95 I have added post there with instructions how it can be done.

[testalino]

Signed assemblies are needed for our project as well. I understand that this might be a legacy issue with our application, but it is still annoying.

https://github.com/dotnet/runtime/blob/main/docs/project/strong-name-signing.md

Quote "Because of the viral nature of strong-naming, it is recommended that publicly published .NET libraries are strong-named. Not strong-naming a .NET library excludes anyone who does need to strong-name their application or library from using it. Read more about .NET libraries and strong-naming in the .NET Library Guidance."

We are not sure if we can switch to QuestPDF if the assembly will not be signed.

Thanks.

[teebeast]

A solution could be to publish a further package which is signed, e.g. QuestPDF.Signed.

[MarcinZiabek]

Signing the QuestPDF assembly is on our current roadmap 😄

Would you like to share any details about what your process requires? For example, if there are any requirements for the signing certificate. It is important for us to better understand our clients' needs in this regard. Could you also elaborate on how you deal with other open-source projects that often are not signed?

Code-signing certificates are not cheap, therefore I would like to better understand of what is truly required. If everything goes well, the 2024.11.0 release could already be signed 😄

[borisdj]

@MarcinZiabek you don't need a paid certificate.

• Call sn -k QuestPDF.snk in the directory QuestPDF to create a key pair.
• Add created files to the repository as it is open source (Strong-named assemblies)
• Edit the project Properties (Build -> Strong naming) on signing tab: activate signing and select the snk-file

Also you don't need to keep not signed version nuget as NotSigned projects can consume strong named libraries, just not the other way round.

[teebeast]

Non-executable assemblies do not necessarily require a code signing certificate. In our company we use it mainly to avoid problems with virus scanners. Basically, I recommend using a code signing certificate with extended validation. It has some additional security controls to prevent misuse of the certificate. It is reliably accepted by most virus scanners compared to the normal certificate.

Maybe you mean signing your created nuget package instead of signing your assemblies. But in this issue the request is for signing a assembly with a strong name.

[testalino]

@borisdj explained it already perfectly. @MarcinZiabek since our application is strong-named we can only use strong-named assemblies. So far this has not been an issue for us. The bigger projects usually use strong-naming (presumably for compatibility reasons). The good thing: this does not cost anything and the required effort is fairly minimal, I would really appreciate it, if this could be implemented quickly - we really need this library very soon.

[simoviljakainen]

Similar situation here. We are trying to sign our project, but can't as the library is not strongly-named. Hopefully this gets implemented.

[MarcinZiabek]

I am currently actively investigating this task and consider it as one of my priorities.

I consider two solutions, depending on other efforts: 1) Include this change in the October release. 2) Postpone this change till the November release but publish its alpha version very soon (in September).

I am not sure yet how significant this change is and how many build systems may break. Therefore, this change should be published as the pre-release version at least 2-3 weeks before the official stable release, to avoid any risks and detect potential incompatibilities.

I am also considering purchasing a code signing certificate to streamline the installation process of the QuestPDF Companion App on Windows. I am unsure if the same certificate can be used to strong-name sign the assembly, and if it provides any additional benefits.

@borisdj Thank you for sharing the exact process and link to the documentation. I appreciate it a lot. I am hoping for our collaboration in this effort 😄

[testalino]

We would be happy with a November release and we would test the pre-release and give feedback of course.