Comments (10)
Hi @Tra5is!
How does code signing work? Do we need a certificate of some kind? Do we enable it through appveyor?
Chris
from packetnet.
This looks like a pretty thorough walkthrough - https://natemcmaster.com/blog/2018/07/02/code-signing/
But I'm not sure that the Azure Key Vault is really needed if using an encrypted PFX. The password for the PFX would go into an appveyor secret and used during the code signing step.
It looks like you'll need a cert that's trusted by MS, and will cost some $$.
from packetnet.
Hi @Tra5is. Yeah it looks like the certs are hundreds yearly. I'd be happy for the funding to purchase and maintain such a key but this is an open source project so there isn't much motivation to do so at this point :-)
from packetnet.
No one wants to pay for a cert to sign the library so closing this ticket out.
from packetnet.
Reopening, I don't think you actually need to purchase a certificate. All that's required is a snk file which you can generate yourself for free. https://docs.microsoft.com/en-us/dotnet/standard/assembly/sign-strong-name There are several projects that just have this snk file commited in repository. I think we can do the same.
from packetnet.
Be aware that strong naming the assembly prevents the possibility to "swap in" API-compatible newer versions of the assembly into the larger systems - but making that possible is required by the LPGL. Effectively, .NET strong naming is incompatible with LPGL.
from packetnet.
The key file can be added to the repository (it doesn't need to be kept a secret). Quite a lot of packages do that nowadays, this way it should also be possible to create builds manually (as a drop-in replacement).
from packetnet.
But the licensing problem remains even when the key file is public. Whenever somebody references an assembly that is strong named, that assembly file cannot be exchanged for a new version of it (unless you want to keep the version number always the same) - when you attempt to do so, the assembly will reject to load. This means that you cannot swap in a newer version, even when signed with the same key. And that means you cannot fulfill the LGPL conditions.
from packetnet.
The version number issue also exists without a public key; if you reference an unsigned assembly with version x.x.x.x and then copy unsigned x.x.x.y in then you'll need to use assembly redirection. You can also redirect assemblies with a publicKeyToken, it would only break cases when you're currently having binding redirects defined for non-signed and then start using the signed version, but that's acceptable for this change.
from packetnet.
Oh... you are right. It is not possible to redirect to an assembly signed with a different key, but it is possible to redirect to a different version of that assembly - when the same key is used for signing. My fault.
from packetnet.
Related Issues (20)
- OSPF V2 packet with link-local signaling (LLS) data not handled correctly HOT 1
- Update NuGet
- SSL Interception
- LinkLayers have wrong base type HOT 1
- Constructing Wifi Packets
- Add support to NDP HOT 3
- Switch SDK to .NET 6.0
- log4net dependency in nuget package HOT 3
- CI woes HOT 12
- Any chance for v1.4.7? HOT 1
- TLS decoding support HOT 6
- Implementing Application Layer Packets HOT 1
- Move off System.Runtime.CompilerServices.Unsafe nuget? HOT 2
- TCP packet checksum in not hex
- Capturing STUN , TURN
- icmpv6package dosen't include data[],sequence,ID
- icmpv6package has not some memebers HOT 2
- Large UDP packet: Length field get overwritten with length of first IP fragment
- Parsing / Checksum calc issue when crafting IPv6 ICMP6 packets
- Parsing fails on a capture file where NPF_LOOPBACK adapter is present on the machine where wireshark captured the file
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from packetnet.