Authenticode signing binaries about visualrust HOT 4 OPEN

There is a difference between strong name signing (which is tied to assembly identity and required for the GAC) and Autheticode signing, which is about authenticity and provenance of the binary itself.

Snk files are not a security mechanism -- which is why they're ok to check in. What they do is disambiguate two libraries that might happen to have the same name otherwise.

Authenticode stamps on the public portion of an x509 certificate (so individual or organization) and timestamp from a CA. Things like SmartScreen then check the reputation of the certificate to determine whether to show the "this file is not trusted..." dialog. It is possible to verify that a file hasn't been tampered with during assembly load, but that's generally not done for perf reasons. It's usually at run of a file with the "mark of the web" or the VSIX installer.

from visualrust.

Some code signing is already done to help support strong naming, which in turn helps support installation into the GAC? Of course, my understanding is that the private key is checked directly into version control at https://github.com/PistonDevelopers/VisualRust/blob/master/src/VisualRust/Key.snk , so this doesn't really prevent tampering per se.

from visualrust.

So we would need an x509 certificate from somewhere, right?

from visualrust.

Right...that is the requirement. Certum offers cheap ones for OSS projects. Many foundations like the .NET Foundation and the Apache foundation offer them to their member projects.

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

There are others too, but I believe Certum is the cheapest.

from visualrust.