Closed cleberdantas closed 3 years ago
ed-karabinus
commented
5 years ago I second this question. I have always thought that it is an exceptionally bad security practice to check any private cryptographic keys into a source control system (especially a publicly hosted one like GitHub), so I would like to see some persuasive rationale for this suggestion.
mikedn
commented
5 years ago See the warning near the top of the documentation page:
Do not rely on strong names for security. They provide a unique identity only.
See also https://docs.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming. Perhaps this doc page should link to that.
rokibullah
commented
5 years ago I' lost my password
djee-ms
commented
5 years ago Ping - No matter what, checking in a private key is extremely bad practice. You are losing any kind of benefit here, even the unique identity, if anyone can grab the private key and sign a tempered assembly pretending to be the original one.
mikedn
commented
5 years ago You are losing any kind of benefit here, even the unique identity, if anyone can grab the private key and sign a tempered assembly pretending to be the original one.
Strong naming isn't an anti tampering mechanism, except perhaps when using in conjunction with CAS. But CAS is dead.
dotnet-bot
commented
3 years ago This issue has been closed as part of the issue backlog grooming process outlined in #22351.
That automated process may have closed some issues that should be addressed. If you think this is one of them, reopen it with a comment explaining why. Tag the @dotnet/docs team for visibility.
The documentation states at the end:
"If you are an open-source developer and you want the identity benefits of a strong-named assembly, consider checking in the private key associated with an assembly into your source control system."
Is it really a good thing to do?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.