VMR assemblies that are authenticode signed but not strong-named

[ellahathaway]

There are three assemblies in the VMR that are being reported as having valid Authenticode signatures but are not strong-named:

• Valleysoft.DockerCredsProvider.dll
• ILVerify.dll
• ILCompiler.Build.Tasks.dll

We should determine if we expect these to be strong-named or not. If we do not expect them to be strong-named, we will need to implement a fix.

[mmitche]

Valleysoft.DockerCredsProvider.dll should not be strong named since we didn't build it. @jkoritzinsky do you happen to know about:

ILVerify.dll
ILCompiler.Build.Tasks.dll

?

[ellahathaway]

Sounds good. dotnet/arcade#15682 (plus an entry in the VMR exclusions file) will take care of the validation alerting to Valleysoft.DockerCredsProvider.dll

[mmitche]

Close when you're ready to.

[ellahathaway]

do you happen to know about:

ILVerify.dll
ILCompiler.Build.Tasks.dll

@jkoritzinsky - friendly ping on the earlier question :)

[mmitche]

@ericstj Can also probably answer the above question too.

[ericstj]

I checked my local runtime build and found that they are not strong-named there. Also checked in the product bits and found they were not signed. Seems intentional to me.

Here's what seems to make that setting:
https://github.com/dotnet/runtime/blob/bbc50e511150368fd10f56783c48aa3a04f1f5d3/src/coreclr/tools/Directory.Build.props#L5

[mmitche]

Thanks @ericstj