Comments (4)
There is a difference between strong name signing (which is tied to assembly identity and required for the GAC) and Autheticode signing, which is about authenticity and provenance of the binary itself.
Snk files are not a security mechanism -- which is why they're ok to check in. What they do is disambiguate two libraries that might happen to have the same name otherwise.
Authenticode stamps on the public portion of an x509 certificate (so individual or organization) and timestamp from a CA. Things like SmartScreen then check the reputation of the certificate to determine whether to show the "this file is not trusted..." dialog. It is possible to verify that a file hasn't been tampered with during assembly load, but that's generally not done for perf reasons. It's usually at run of a file with the "mark of the web" or the VSIX installer.
from visualrust.
Some code signing is already done to help support strong naming, which in turn helps support installation into the GAC? Of course, my understanding is that the private key is checked directly into version control at https://github.com/PistonDevelopers/VisualRust/blob/master/src/VisualRust/Key.snk , so this doesn't really prevent tampering per se.
from visualrust.
So we would need an x509 certificate from somewhere, right?
from visualrust.
Right...that is the requirement. Certum offers cheap ones for OSS projects. Many foundations like the .NET Foundation and the Apache foundation offer them to their member projects.
https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
There are others too, but I believe Certum is the cheapest.
from visualrust.
Related Issues (20)
- Polish: Intellisense is a little too aggressive HOT 2
- Polish: Automatic multi-line doc comments / templating
- Build: Debug vsix packages? HOT 1
- Util.GetTokensAtPosition edge cases HOT 3
- Multiple Issues opening and building the solution in VS2017 HOT 8
- Clean up solution config/platform matrix. HOT 1
- Visual rust crashes msbuild while building in VS 2017 HOT 4
- Requires solution clean every time I want to compile HOT 1
- Modern project system support HOT 12
- VS 2017 - latest from CI NRE HOT 7
- Could not uninstall VSIX - looking for LICENSE.txt HOT 5
- Git LFS Quota issues HOT 5
- No Rust installation detected. You can download official Rust installer HOT 8
- Latest build fails to install HOT 2
- VS now supports the Language Server Protocol HOT 1
- Installation at MS VS for MAC HOT 1
- visualrust with vs2017 doesn't seem to work HOT 2
- is a vs 2017 extension available? HOT 6
- Is there support for later updates?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from visualrust.