Signing of assemblies
xivk opened this issue · comments
I was wondering why the packages have been signed, AFAIK we haven't been doing this in any other NTS project.
I have a bug that has been fixed here but has not been released yet. This makes in impossible for us to fix this with a local build without updating all the packages that have dependencies on this package first. An almost impossible task.
Or am I wrong in this assumption and/or have I missed something on signing assemblies in .NET6? I thought we were finally rid of this, help! 😭 cc @airbreather
Hmm I seem to be looking in the wrong direction. If so please ignore and close.
AFAIK we haven't been doing this in any other NTS project.
NetTopologySuite.dll itself has been signed for quite a while...
Signing has been part of the standard guidance for publicly distributed .NET libraries for a while. It's practically irrelevant in .NET Core / .NET 5+ (AFAIK), but in .NET Framework, publishing our assemblies with strong names allows them to be referenced by other assemblies that also have strong names (for whatever reason).
As the library is open-source, and we are not actually using the signing key for anything directly security-relevant, the signing key is publicly available at /nts.snk in this repository, so I don't expect that the decision to sign the assemblies (by itself) should pose a hard blocker for building a local drop-in replacement package. You would just need to ensure that the assembly version matches, which should be especially straightforward because we also follow the guidance of only including the major version number in our assembly versions.
Hey thanks @airbreather for the quick response. I noticed some of what you said in the meantime and was perhaps a bit quick posting this issue. We probably should update the vector tiles packages too then.
I fixed it by copy/pasting only the code I needed to fix things from the latest develop branch here. What's the release strategy for this repository? Anything I can do help?