Nuget assemblies not signed

Question

Nuget assemblies not signed

rkkr opened this issue a year ago · comments

Tested packages:

Results:

signtool verify /pa NodaTime.dll
File: NodaTime.dll
Index  Algorithm  Timestamp
========================================
SignTool Error: No signature found.

Number of errors: 1

signtool verify /pa NodaTime.Serialization.SystemTextJson.dll
File: NodaTime.Serialization.SystemTextJson.dll
Index  Algorithm  Timestamp
========================================
SignTool Error: No signature found.

Number of errors: 1

signtool verify /pa NodaTime.Serialization.JsonNet.dll
File: NodaTime.Serialization.JsonNet.dll
Index  Algorithm  Timestamp
========================================
SignTool Error: No signature found.

Number of errors: 1

Windows Explorer also doesn't show Digital Signatures tab in File Properties.

Jon Skeet · Answer 1 · Tue Mar 14 2023 19:39:44 GMT+0800 (China Standard Time)

Indeed, they're not signed at the moment. (They're strong-named, but not otherwise signed.)
How much of an issue is this for you? I'm unlikely to find time to sort out all the infrastructure any time soon, unless there's an urgent need.

Raimondas Rimkus · Answer 2 · Tue Mar 14 2023 19:59:57 GMT+0800 (China Standard Time)

Working in a large corporation we have to deal with audits which constantly flag things like these. Then we have to go thru the process of "we don't own this code, here's the nuget it came from". It's not breaking (for as long as we can point at the owner), but you can guess how inconvenient that is.

Jon Skeet · Answer 3 · Tue Mar 14 2023 20:03:15 GMT+0800 (China Standard Time)

Interesting. (We don't sign the Google Cloud client libraries either at the moment, although that may happen in the future.)
I'll put this on my to-do list, initially for investigation. If it drops out easily (and without too much expense!) then I'll happily implement it when I can.

Jon Skeet · Answer 4 · Fri Mar 17 2023 02:22:14 GMT+0800 (China Standard Time)

Okay, it looks like this is doable, even though it's a bit of a hassle (and may well make it harder for me to move releasing into the cloud, which I'd hoped to do).

Importantly, "dotnet nuget sign" doesn't sign the assemblies within the package. Instead, we'll need to run:

dotnet build as normal
Then sign each DLL with signtool sign
Build the package with dotnet pack --no-build
Sign the package with dotnet nuget sign

That still doesn't show a digital signature in the nuget file in file properties, although it does show it in NuGet package explorer. I assume that won't be a problem?

We're likely to have a new patch release soon due to TZDB changes, so I'll try to get all of this scripted by then (with confidential stuff in environment variables).

Jon Skeet · Answer 5 · Thu Mar 23 2023 14:48:54 GMT+0800 (China Standard Time)

I've just released NodaTime 3.1.7 NodaTime.Testing 3.1.7, both of which are signed.
I'll close this issue now, but please let me know if anything doesn't look right to you.