Open hamjo opened 1 year ago
nblumhardt
commented
1 year ago Hi @hamjo, thanks for dropping by!
Just to clarify, do you mean Serilog.Expressions.dll specifically, using code signing, or do you mean the Serilog.Expressions NuGet package?
Also, is there anything specific about Serilog.Expressions.dll that's different from Serilog.dll? (Just curious why you mention it specifically, rather than the core package/sink packages/etc.)
Many thanks, Nick
hamjo
commented
1 year ago Hi @nblumhardt
Yes I meant Serilog.Expressions.dll specifically. using code signing.
For some internal reason, this dll was the first to be internally flagged as unsigned.
But as this requirement rolls out, I would be opening similar issues in core packages.
cocowalla
commented
1 year ago @hamjo isn't it rather... unusual for OSS projects to supply authenticode-signed binaries? Very curious to find out what other OSS deps you have that ship signed binaries?
I once worked with a bank that had the requirement that all .NET binaries were digitally signed, but we had to build from source and sign ourselves, with a code signing certificate provided by the bank - it was the only way to avoid a supply chain attack, and know for sure that the signed binaries had been built from the expected code.
I'd like to be able to prove
Serilog.Expressions.dllhasn't been tampered, but I can't since this file doesn't have a digital signature.Signing
Serilog.Expressions.dllin the the shipped NuGet package would enable us to secure our supply chain.Our corporate policy requires us to only use digitally signed DLLs. We'll have to stop using Serilog without that feature.