Our codebase features a solution with +100 projects. I am concert integrating this tool because of legal issues.
As an enterprise we can't just run around and sign third party .dlls
Do we need to check if we have the legal permissions for signing every CL project we are using.
Or did I understand your tool wrong.

I'm not the author, but my take on it is that you're on your own. If you need signed assemblies, this is just a tool enabling it - you will definitely need to clear this legally, you don't want to be the person responsible.

A common solution before StrongNamer was to do an in-house signed build of an open source project, pushed to a private nuget feed.
An alternative is to merge 3rd party assemblies with your own code (using ilmerge or ilrepack), and sign the result.

The end results are pretty much the same, but these latter approaches gives you greater control and awareness of the code actually included, at the cost of considerably more work.

Whether and how you use StrongNamer, must be vetted by your legal department.

Note that StrongNamer seems to have undocumented support for providing your own code signing key - I have not tested it.

@iDouzer Just to add to what @ugumba said, by signing these 3rd party assemblies, you're effectively modifying the binaries, so if you want to be safe, then yes... You should make sure the license of each of these projects don't prohibit you from modifying the binaries.

For most open source projects, it should be an easy task as they usually use well-known licenses such as Apache, MIT, etc.