Potential signing issue with 2.9.24 NuGet package

[ws-markb]

After struggling with a runtime error in an ASP.NET MVC web app I'm working on (running on .NET Framework 4.7.2), I finally noticed that the error message was slightly different than I normally see for assembly binding issues:

Could not load file or assembly 'StackExchange.Redis' or one of its dependencies. Strong name signature could not be verified.

At this point, I had installed 2.9.24 to bring things up to date. I went through a great number of steps to make sure I wasn't referencing a version which had somehow gotten corrupted on my dev machine (cleared all NuGet caches, ASP.NET Temp files, bin/obj folders, rebuilds etc) but couldn't get rid of the problem. I finally installed 2.9.17 instead—and that worked perfectly.

So out of curiosity I ran sn against the 2.9.24 DLL in my package cache, and it failed to validate. In case it was a local filesystem/corruption issue, I downloaded the package manually from NuGet.org, extracted the DLL and ran sn against that... and it still failed:

❯ & "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools\sn.exe" -vf "C:\Users\markb\Downloads\stackexchange.redis.2.9.24\lib\net472\StackExchange.Redis.dll"

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Failed to verify assembly -- Strong name validation failed.

Running the same command against a downloaded version of 2.9.17 works fine:

❯ & "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools\sn.exe" -vf "C:\Users\markb\Downloads\stackexchange.redis.2.9.17\lib\net472\StackExchange.Redis.dll"

Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Assembly 'C:\Users\markb\Downloads\stackexchange.redis.2.9.17\lib\net472\StackExchange.Redis.dll' is valid

I even tried the same thing on a different machine (just to make sure it wasn't something weird happening only on my laptop relating to antivirus etc), but I got exactly the same result.

So it seems like something's gone wrong in the signing process for the 2.9.24 version release? I'm not any kind of an expert in this area (strong naming), but if I can provide any more info to help, please let me know!

[mgravell]

Thanks. I've delisted it, pending investigation. Our usual CI has had a bad week, so this is probably related.

[mgravell]

Verified as an issue via sn -v; with 2.9.17:

Assembly '.\StackExchange.Redis.dll' is valid

with 2.9.24:

Failed to verify assembly -- Strong name validation failed.

So: report is correct 👍 - glad I yanked it on Saturday! Continuing to investigate. The problem appears to be a difference between the linux and windows build, which I must have completely erased from my mind - when replacing the broken CI, I used a linux build. It looks like this is explicitly public-sign (bad) on linux. Working on fixing this mess. I could just build on windows, but let me see if I can fix linux first.

It looks like this related to 7-year-old long-since-fixed limitations in .NET Core (as-was at the time). May be an annoyingly simple fix.

[ws-markb]

Well, at least I know I'm not going mad now! Thanks for the update. 🙂

[mgravell]

Please see 2.9.25