Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign assemblies #8

Open
thargy opened this issue Jan 23, 2014 · 1 comment
Open

Sign assemblies #8

thargy opened this issue Jan 23, 2014 · 1 comment

Comments

@thargy
Copy link

thargy commented Jan 23, 2014

In .NET signed assemblies cannot make use of unsigned assemblies. When publishing to a public NuGet if your assemblies are unsigned they cannot be easily used in projects that are signed, significantly reducing their usability and usefulness.

Signing is trivially easy and has no down sides (the signed assemblies can be used in unsigned projects). You can create a key and sign the assembly from the project properties page. Any dll that you are pushing to the NuGet should be signed.

The standard approach is to NOT upload the official key to GitHub, and instead place a note in the project to indicate to contributors that they should add their own signatures whilst building. This ensures you can validate the ownership of the NuGet.

@cwensley
Copy link
Member

Strong naming the assembly has some caveats re. the assembly version number. For example, if the version number were updated, any assemblies that link to it would need a binding redirect, which is pretty ugly. In order for this to work well, we'd have to 'freeze' the assembly version, and only update the file version for each release. This is what MS does with the .net stack, and also is what json.net is doing (see here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants