search

andrewlock / NetEscapades.AspNetCore.SecurityHeaders

Small package to allow adding security headers to ASP.NET Core websites
MIT License
660 stars 70 forks source link

Authenticode signing #68

Closed bencyoung closed 1 month ago

bencyoung commented 4 years ago

Hi Andrew,

This is a great library, very useful to add a little bit of fire and forget hardening to our microservices. There's just one issue and that's our CI machines don't like it due to it not being signed and our locked down environments. If you could sign the dlls then I could ask that the public key is added to our whitelisted producers?

I can provide some example signing code if that helps, but you'd need to produce the certificate of course!

Thanks, Ben

andrewlock commented 4 years ago

Hi Ben,

Thanks, glad you like the library!

In theory, signing is a good idea, but I just don't think I have the stomach for it. Aside from the cost of obtaining a signing certificate ($500 for 3 years) there's the issue of storing the cert and managing etc

I've seen this post that walks through it specifically for AzureKeyVault etc, and Phil Haack talking about it but that is such a headache, I just don't know if I can face it (i.e. the same conclusion as Phil Haack who helped build NuGet originally!) 😩

I know that's not what you want to hear, and I'm not opposed to signing specifically, I'm just opposed to the effort at this point...

Out of interest, how much of a deal breaker is this your side? The vast majority of open source isn't signed, and I can't imagine you convince that many people to go through it? How do you deal with that typically?

bencyoung commented 4 years ago

Hi Andrew,

I can see the pain! We only would need the code signing part and even then I think in theory you could use a self signed certificate as we (or our opaque IT department!) could add the public key to our whitelist. You can created a self signed one with something like:

$cert = New-SelfSignedCertificate -Type CodeSigning

You can then put in in your build process with something like:

<SignCommand>$(SignTool) sign /n "$(CertificateName)" /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /v "$(TargetPath)"</SignCommand>

However I can see that even this is a pain.

We've also looked at using ILMerge to just combine your assembly into ours but believe it or not ILMerge is also blocked and I've raised a request for this to be signed too :)

Our final option (apart from whitelist it on all our build servers) is to pull the code directly into our consuming assemblies via a git module or similar but that has a bit of overhead!

Don't worry too much this is more of a vent as to how difficult our dev environments are!

Ben

andrewlock commented 1 month ago

Hi Ben, I'm doing some clean up and so going to close this, because realistically I'm never going to do this, sorry 😅