NettopologySuite.IO.GeoJSON.dll is not digitally signed when delivered

Question

NettopologySuite.IO.GeoJSON.dll is not digitally signed when delivered

Souvikbera7 opened this issue 9 months ago · comments

I am trying to use the nuget package NettopologySuite.IO.GeoJSON in our project but when we are trying to deliver the project for release we are getting a message from our audit tool-

MSI key: "A:\A#00\binaries.zip#E\NetTopologySuite.IO.GeoJSON.dll"
Reason: Prove authenticity and maintain tamper resistance.

Is this library digitally signed when published to nuget?

Joe Amenta · Answer 1 · Fri Feb 16 2024 20:28:38 GMT+0800 (China Standard Time)

Is this library digitally signed when published to nuget?

No, and I don't think we should do this (I had a long comment typed up explaining why, but it was too long, so I've just deleted it). In case it helps you satisfy your audit tool, here's what you can do:

The Microsoft.Windows.SDK.BuildTools package has arm64, x86, and x64 versions of signtool.exe which you can use to sign any file (or at least .dll and .exe files). See SignTool.exe (Sign Tool) and Using SignTool to Sign a File.

Souvik Bera · Answer 2 · Mon Feb 19 2024 17:35:45 GMT+0800 (China Standard Time)

Thanks for the response, I assume it is ok to sign using our company signing tool. There won't be any legal issues on it right? Please confirm.

Joe Amenta · Answer 3 · Tue Feb 20 2024 11:35:37 GMT+0800 (China Standard Time)

I assume it is ok to sign using our company signing tool. There won't be any legal issues on it right? Please confirm.

I don't understand the question, because I don't know what usage you're specifically interested in comment on. But I don't think it matters, because the code and binaries are distributed under the BSD 3-Clause license, which supersedes anything that I could say about that topic.

TLDRLegal has a page on BSD 3-Clause that explains it better than I can, including the part where they also say that they aren't giving legal advice.

Joe Amenta · Answer 4 · Sat Apr 20 2024 20:03:50 GMT+0800 (China Standard Time)

As with NetTopologySuite/NetTopologySuite#691, it is a problem that code signing is not free for us (or even cheap, or even a one-time-only payment), and I see absolutely no practical security benefit to users relative to the status quo.

Code signing at an individual organization level does not require the same expense. You need only a certificate that's trusted by relevant machines within your own organization, which your organization can maintain without paying a third-party to ensure that your signature is recognized globally.