Nuget assemblies not signed
rkkr opened this issue · comments
Tested packages:
- https://www.nuget.org/packages/NodaTime/3.1.6
- https://www.nuget.org/packages/NodaTime.Serialization.SystemTextJson/1.0.0
- https://www.nuget.org/packages/NodaTime.Serialization.JsonNet/3.0.1
Results:
signtool verify /pa NodaTime.dll
File: NodaTime.dll
Index Algorithm Timestamp
========================================
SignTool Error: No signature found.
Number of errors: 1
signtool verify /pa NodaTime.Serialization.SystemTextJson.dll
File: NodaTime.Serialization.SystemTextJson.dll
Index Algorithm Timestamp
========================================
SignTool Error: No signature found.
Number of errors: 1
signtool verify /pa NodaTime.Serialization.JsonNet.dll
File: NodaTime.Serialization.JsonNet.dll
Index Algorithm Timestamp
========================================
SignTool Error: No signature found.
Number of errors: 1
Windows Explorer also doesn't show Digital Signatures tab in File Properties.
Indeed, they're not signed at the moment. (They're strong-named, but not otherwise signed.)
How much of an issue is this for you? I'm unlikely to find time to sort out all the infrastructure any time soon, unless there's an urgent need.
Working in a large corporation we have to deal with audits which constantly flag things like these. Then we have to go thru the process of "we don't own this code, here's the nuget it came from". It's not breaking (for as long as we can point at the owner), but you can guess how inconvenient that is.
Interesting. (We don't sign the Google Cloud client libraries either at the moment, although that may happen in the future.)
I'll put this on my to-do list, initially for investigation. If it drops out easily (and without too much expense!) then I'll happily implement it when I can.
Okay, it looks like this is doable, even though it's a bit of a hassle (and may well make it harder for me to move releasing into the cloud, which I'd hoped to do).
Importantly, "dotnet nuget sign" doesn't sign the assemblies within the package. Instead, we'll need to run:
dotnet build
as normal- Then sign each DLL with
signtool sign
- Build the package with
dotnet pack --no-build
- Sign the package with
dotnet nuget sign
That still doesn't show a digital signature in the nuget file in file properties, although it does show it in NuGet package explorer. I assume that won't be a problem?
We're likely to have a new patch release soon due to TZDB changes, so I'll try to get all of this scripted by then (with confidential stuff in environment variables).
I've just released NodaTime 3.1.7 NodaTime.Testing 3.1.7, both of which are signed.
I'll close this issue now, but please let me know if anything doesn't look right to you.