search

visualeyes / halcyon

A HAL implementation for ASP.NET
MIT License
81 stars 30 forks source link

Strong Name #4

Closed jabbera closed 8 years ago

jabbera commented 8 years ago

Please strong name Halcyon. It's unusable from signed code:-(

johncmckim commented 8 years ago

I haven't had to use strong naming before so my experience with it is limited.

I am using Appveyor to build the project so it would need to work with this. I think it is possible from this pose http://help.appveyor.com/discussions/questions/217-signing-net-assemblies-without-exposing-the-snk-file-publicly.

To do this I will need to change the build process to build the project with a powershell script instead of the defaults.

I'll need to play around with this. I am not sure about the dependencies and whether they are strong named, which to my knowledge may impact on the ability to use strong naming for this package.

jabbera commented 8 years ago

The issue with code signing is signed code can only use libraries that are signed.

I'm not convinced leaving the strong name private is a good thing to do. It basically means that you would be the only person able to publish a new version of the library, even if you get hit by a bus and your super secret password is lost. (Or just lose the key like the log4net team did)

Its origins are in making sure that a library is produced by the original author and not man in the middled by a third party, hence the private singing key. Many open source projects just commit in the key file as they are meant to be openly redistributed. (They only sign them so other signed code can use them)

I've never used appveyor but enabling code signing is just a matter of checking a box in visual studio on your projects. It will generate a key and everything. It will ask you for a password which you can leave blank.

johncmckim commented 8 years ago

I've taken a look at this. Enabling it looks easy enough and tested this on my machine. However, one of the dependencies I am using is not strongly named, Tavis.UriTemplates.

I've had a look through the issues on the project and found this, Signing the assembly in the nuget package #28. It seems the author doesn't want to sign the project.

Unless the project owner of Tavis.UriTemplates changes his mind my hands are tied. You could add a comment on that issue if you wish.