serilog / serilog-expressions

An embeddable mini-language for filtering, enriching, and formatting Serilog events, ideal for use with JSON or XML configuration.
Apache License 2.0
190 stars 17 forks source link

Digitally sign DLLs as tampering protection proof #95

Open hamjo opened 1 year ago

hamjo commented 1 year ago

I'd like to be able to prove Serilog.Expressions.dll hasn't been tampered, but I can't since this file doesn't have a digital signature.

Signing Serilog.Expressions.dll in the the shipped NuGet package would enable us to secure our supply chain.

Our corporate policy requires us to only use digitally signed DLLs. We'll have to stop using Serilog without that feature.

nblumhardt commented 1 year ago

Hi @hamjo, thanks for dropping by!

Just to clarify, do you mean Serilog.Expressions.dll specifically, using code signing, or do you mean the Serilog.Expressions NuGet package?

Also, is there anything specific about Serilog.Expressions.dll that's different from Serilog.dll? (Just curious why you mention it specifically, rather than the core package/sink packages/etc.)

Many thanks, Nick

hamjo commented 1 year ago

Hi @nblumhardt

Yes I meant Serilog.Expressions.dll specifically. using code signing. For some internal reason, this dll was the first to be internally flagged as unsigned. But as this requirement rolls out, I would be opening similar issues in core packages.

cocowalla commented 1 year ago

@hamjo isn't it rather... unusual for OSS projects to supply authenticode-signed binaries? Very curious to find out what other OSS deps you have that ship signed binaries?

I once worked with a bank that had the requirement that all .NET binaries were digitally signed, but we had to build from source and sign ourselves, with a code signing certificate provided by the bank - it was the only way to avoid a supply chain attack, and know for sure that the signed binaries had been built from the expected code.