search

SoftCircuits / OrderedDictionary

.NET library that implements an ordered dictionary.
MIT License
11 stars 2 forks source link

Assembly is not signed. #3

Closed Kizaemon closed 1 year ago

Kizaemon commented 1 year ago

Hi Soft Circuits,

I wonder if there is a reason why the assembly is not signed, thus having a string name. Maybe you have a reason for this?

My projects are all signed and therefore the compiler shows a warning:

3>CSC : warning CS8002: Referenced assembly 'SoftCircuits.OrderedDictionary, Version=3.0.0.0, Culture=neutral, PublicKeyToken=null' does not have a strong name.

image

SoftCircuits commented 1 year ago

@Kizaemon To be honest, I'm not familiar with this. I've been using .NET since it was released and hadn't been exposed to this and I've never seen this warning.

So the answer is that there's no reason I'm not doing this.

I can try and research it to better understand why you get s warning and I don't. And to better understand the advantages of having one.

Are you using the NuGet package?

Kizaemon commented 1 year ago

Are you using the NuGet package?

Yes, the warning happens when I'm including the NuGet package.

The advantage of signing is that the checksum of the library (dll) is attached to the end of the end of the library, so guaranteeing that the library is (1) not corrupt, (2) correct version, (3) of your origin.

The disadvantage is that basically that once you sign your main project, all libraries needs to be signed.

The signing is only applies to .NET Framework. Unfortunately I cannot move to .NET 7 yet.

From MS documentation:

"For .NET Core and .NET 5+, strong-named assemblies do not provide material benefits. The runtime never validates the strong-name signature, nor does it use the strong-name for assembly binding. If you are an open-source developer and you want the identity benefits of a strong-named assembly for better compatibility with .NET Framework, consider checking in the private key associated with an assembly to your source control system.

Here is an example of EPPlus library config setting:

image

I think you can generate a new file and add to the root of your project. sn -k OrderedDictionary.snk

Then choose this file in the project settings "Sign the assembly".

ghost commented 1 year ago

@Kizaemon build your own version and sign it if you need to sign own project, it is better than nothing in your case

SoftCircuits commented 1 year ago

@Kizaemon I appreciate you bringing this to my attention. However, looking into it, it does not appear to offer any benefit for .NET Core (as you also pointed out).

We will continue to support the .NET Standard version of the library for the foreseeable future. But our main focus is on .NET Core and future versions of the framework. So I don't expect to make changes of this nature.