Signing Assemblies

[spoiledtechie]

Hey.

Great projects. I am in love with them. Just starting to figure them all out, but I do have one request. That you sign the assemblies with a key file. We run our code with other libraries and we require our libraries to be signed.

I can compile and sign your code my self, but for the nuget packages, they cannot unless you do it. Can you make sure that you sign the assemblies please?

Many thanks!

[dajuric]

Hi "spoiledtechie"

thanks for the kind comments. If you have any comments regarding the features please let me know; if you can you can tell me for what you are using the framework so I can improve it, to target that specific field (you can use "darko . juric2 [at] gmail . com".

Sure I can. Do you mean this: https://msdn.microsoft.com/en-us/library/xc31ft41(v=vs.110).aspx ?

Best, Darko

2016-09-15 16:23 GMT+02:00 spoiledtechie notifications@github.com:

Hey.

Great projects. I am in love with them. Just starting to figure them all out, but I do have one request. That you sign the assemblies with a key file. We run our code with other libraries and we require our libraries to be signed.

I can compile and sign your code my self, but for the nuget packages, they cannot unless you do it. Can you make sure that you sign the assemblies please?

Many thanks!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dajuric/dot-imaging/issues/4, or mute the thread https://github.com/notifications/unsubscribe-auth/AEMQJ95s1UYzSO_Z1_0qf3U9zYQa6iLhks5qqVT0gaJpZM4J97gu .

[CmdQ]

Hi @dajuric. That's the thing @spoiledtechie is talking about. I have the same problem. I tried your DotImaging.IO library for easy video loading. And easy it is indeed, I really like it!

But I have the same problem: The code base is signed and as such, referencing unsigned assemblies is forbidden.

I would really appreciate if you'd release signed nuget packages.

Many thanks!

[zabulus]

There are plenty of nuget packages that allows you to manually sign 3rd party libraries. Simplest nuget package that signs all not-signed libraries with same certificates: https://www.nuget.org/packages/StrongNamer/

[CmdQ]

@zabulus: I already tried this tool as a manual build step.

This kind of works, but I'd rather have the original authors signature for his own code, like it's meant to be.

[zabulus]

This kind of works, but I'd rather have the original authors signature for his own code, like it's meant to be.

What is the use case of this? In case of OSS projects there is no much point in strong-signing because code-sign certificate in most cases placed in public near a code, so everyone could sign OSS library output. It's not much difference between you sign it manually on your side or it is signed by author's public certificate.

[igitur]

No, please don't sign assemblies. Please refer to https://www.pedrolamas.com/2016/03/01/still-strong-naming-your-assemblies-you-do-know-its-2016-right/

[dajuric]

Thanks.

2017-08-19 14:06 GMT+02:00 Francois Botha notifications@github.com:

No, please don't sign assemblies. Please refer to https://www.pedrolamas.com/2016/03/01/still-strong- naming-your-assemblies-you-do-know-its-2016-right/

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dajuric/dot-imaging/issues/4#issuecomment-323519244, or mute the thread https://github.com/notifications/unsubscribe-auth/AEMQJ5gp1qmscm8XPT9o9xU31UT4LrtVks5sZs-vgaJpZM4J97gu .

[spoiledtechie]

Just because someone wrote a blog article about not signing libraries, doesn't mean they shouldn't be signed. Some software is used in a much more secure environment than what most developers use it for. Specifically, Federal Gov. They require signing and while the regular companies don't require it, there are still plenty that do. Signing only takes a couple steps and doesn't force anyone from using your code. Its a best practice for all code, even though some might not think so, since they never worked in the secure space before. They have no insight on it.

[SuperJMN]

Someone? Pedro Lamas is a well-known developer and he gives you arguments not to do it. I'm with him and against signing the assemblies.