search

danielwertheim / Ensure.That

Guard clause project for .NET
MIT License
439 stars 49 forks source link

Digitally signed assemblies #168

Closed PNicolle closed 2 years ago

PNicolle commented 2 years ago

Hello, the nature of our business requires to have all assemblies digitally signed. Is it possible to publish a nuget package with digitally signed Ensure.That assemblies.

Thanks

ndrwrbgs commented 2 years ago

Are you familiar with which signing your team requires? Some examples are Authenticode and Strong Name.

On Fri, Nov 26, 2021, 7:50 AM PNicolle @.***> wrote:

Hello, the nature of our business requires to have all assemblies digitally signed. Is it possible to publish a nuget package with digitally signed Ensure.That assemblies.

Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/danielwertheim/Ensure.That/issues/168, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACSHCOUYJWHKUOO37YUPDULUN6UFZANCNFSM5I257DZQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

PNicolle commented 2 years ago

We need both:
-strong name because our assemblies are strong named and can only reference strong named assemblies -authenticode signing with certificate to verify publisher identity and code integrity

PNicolle commented 2 years ago

Any plan on that?

danielwertheim commented 2 years ago

Never worked with signing a package using "Authenticode". What does it require from our end? Buy a certificate?

PNicolle commented 2 years ago

For authenticode, your assemblies have to be digitally signed by a trusted Certificate Authority (ex Verisign, Symantec, ...). In most case it is not free :-( , you must buy a certificate. An alternative is to be member of some organization that manages authenticode signing for free. I only know .NET Foundation](https://dotnetfoundation.org/), but may be there are another.

ndrwrbgs commented 2 years ago

I went to do this, but see that since 90273964 the assembly should already have been StrongName signed.


c:\src\Ensure.That\src>sn -Tp C:\Downloads\ensure.that.11.0.0-p3.nupkg\lib\net462\Ensure.That.dll

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Public key (hash algorithm: sha1):
0024000004800000940000000602000000240000525341310004000001000100fdc6a96b633553
8f035f07b37d3a05122131f6b1980a765d384165488b3238eaa8b87616e6cdd7a9d50fda568433
a505bb41d1e0de1323381d836763a885eb194961e0b601bff2a059cb0ca594f43c58c3202f9c15
6eca7a1e84f8d1815426798c066174d53344be68e766245032c80b2b33e3f48c06dc1f73df9200
c173e5a3

Public key token is d7cf9132176ba30b
ndrwrbgs commented 2 years ago

My research into Authenticode for public products suggests that while some solutions^1 exist, they do require a centralized governing body and deployment setup for them. I don't see good solutions for this yet for the non-centralized, distributed open-source space. I believe I've heard some teams which require signing might be on-behalf-of signing third party dependencies at build time, to enable Application Verification rules on their VMs which require signed binaries.

danielwertheim commented 2 years ago

If I understand this correctly it will incur costs etc. Hence why I will close this issue. SNK will be it for now. Feel free to re-open if I've missunderstood anything. Any organization could just clone the repo and use it internally.