Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign NuGET build artifacts #8

Open
vmedvedovskiy opened this issue Sep 9, 2016 · 11 comments
Open

Sign NuGET build artifacts #8

vmedvedovskiy opened this issue Sep 9, 2016 · 11 comments

Comments

@vmedvedovskiy
Copy link

Could you please sign binaries, produced for NuGET?
This will allow for your libraries to be referenced from strong named assemblies (signed).

@agehrke
Copy link

agehrke commented Sep 9, 2016

You can use Strong Name Signer to automatically sign assemblies pulled in via NuGet.

https://github.com/brutaldev/StrongNameSigner

@nlkl
Copy link
Owner

nlkl commented Sep 10, 2016

I have been considering the problem, and all in all it seems that strong naming the assemblies will create more problems than benefit.

Having had my own fair share of fights with binding redirection from strong named assemblies such as Newtonsoft.Json, I am quite hesitant to strong name Optional. Further, it seems that the community as a whole are moving away from strong naming, particularly when distributed through Nuget.

Certainly, strong naming causes much more severe problems for popular and often referenced packages such as Newtonsoft.Json than it would in this case, but Optional was always meant to be a lightweight dependency, and including Optional in a project should certainly be as frictionless as possible. Juggling with binding redirects hardly seems in line with this idea.

Unfortunately, this introduces some real inconvenience for projects that are using strong names. However, once you are going down the path of strong naming your assemblies, I suspect this is the smallest of your inconveniences anyway. The tool that @agehrke mentions seems to be a valid and localized solution (another alternative could be https://github.com/dsplaisted/strongnamer), that has the benefit of being independent on whether or not all relevant package owners strong name their assemblies (even if we strong name Optional, your other package dependencies might still not be).

Now, it does seem that .NET Core and friends are starting to ease the pain of managing binding redirects, and I might just reconsider at a later point. Also, there are certain tricks to ease the pain, such as only incrementing assembly versions on major releases etc., but this has its own pitfalls too.

Edit:

Freezing the assembly version and only incrementing assembly file version and package versions might actually be a viable solution - and one that is used by several existing Nuget packages. I will look a bit more into this - if there are no downsides, this might be the way to go.

@DerPeit
Copy link

DerPeit commented Mar 7, 2017

I don't see the problems you're talking about. I have never had any issues with assembly redirects as long as the snk file used to sign the assemblies does not change. @nlkl which sources do you rely on that raise your concerns?

A different approach would be to create two different packages like for example Flurl does:

https://www.nuget.org/packages/Flurl/
https://www.nuget.org/packages/Flurl.Signed/

@nlkl nlkl modified the milestone: Optional 4.0.0 Mar 7, 2017
@jakubsuchybio
Copy link

Completely agree with @DerPeit why not making secondary Nuget with .Signed? I am trying to use your Nuger in my new VS Extension, but can't because there you can reference only signed references.
Please consider it @nlkl Thx

@lsolano
Copy link

lsolano commented Feb 23, 2018

Same issue as @jakubsuchybio with a VSTO add-in. We do sing your assembly and upload a private package to our Nuget feed (Nexus); works but add extra steps with every new version of your package.

@nlkl
Copy link
Owner

nlkl commented Feb 24, 2018

Hi @jakubsuchybio and @lsolano

Although I am not completely against the idea, I recommend that you try out a solution like https://github.com/dsplaisted/strongnamer or similar first - any concrete experiences with this approach?

/ Nils

@Galad
Copy link

Galad commented Dec 7, 2018

Hello,
We also have strong named assemblies and we currently use https://github.com/brutaldev/StrongNameSigner. We consider moving our projects to PackageReference but unfortunately, StrongNameSigner is not compatible with it at this time.
Recently Microsoft published some documentation about signing open sourced libraries.
I suggest @nlkl you take a look at it, maybe it will help you making a decision.

@MitchBodmer
Copy link

MitchBodmer commented Sep 19, 2019

Hey @nlkl I'd like offer another vote in favor of signing.

Currently the guidance is in favor of signing publicly published .NET libraries. Even some of the most vocal critics of signing have changed their tune.

Personally, I end up writing libraries that are used by a variety of projects, and signing is the best way I've found to support everyone. The pain from binding redirects is mostly gone now with .NET core.

In my opinion the benefits far outweigh the costs. Every time I'm working on a project that must be signed and see an excellent use for Optional, I get sad.

@nlkl
Copy link
Owner

nlkl commented Sep 20, 2019

Hi @MitchBodmer

I agree and my opinion on this has changed as well. Let us strive to sign the assemblies from v5.

Thanks for reminding me of this!

/ Nils

@nlkl nlkl added this to the 5.0.0 milestone Sep 20, 2019
@MitchBodmer
Copy link

@nlkl would you like a PR for this? I'd be more than happy to contribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants