Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strong named nuget version #196

Closed
Muarl opened this issue Oct 22, 2019 · 10 comments
Closed

Strong named nuget version #196

Muarl opened this issue Oct 22, 2019 · 10 comments

Comments

@Muarl
Copy link

Muarl commented Oct 22, 2019

Hey there, could you provide strong named nuget?
We could need it ;)
@MikeVensel
Copy link

I have run into this kind of issue several times with other libraries and the easiest solution for me has been to just use the StrongNamer nuget package which can be found here. All you have to do to implement it is add the nuget package to your project and build.

@jzabroski
Copy link

@MikeVensel Wouldn't it be great if the new .net core Common Project System let you just write:

  <PackageReference Include="AsyncEx" Version="2.0.0" StrongName="Auto" />

@jzabroski
Copy link

@MikeVensel Actually... Check out:https://docs.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming

Which in turn links to: https://docs.microsoft.com/en-us/nuget/create-packages/sign-a-package

which says:

Requires nuget.exe 4.6.0 or later. dotnet.exe support is coming soon - #7939

...There is also <PublicSign>true</PublicSign> and a FakeSign nuget package from 2015.

from: https://github.com/dotnet/corefx/blob/master/Documentation/project-docs/public-signing.md

I'm a little confused as to what the relationship is between StrongNamer and FakeSign AND WHY IS THIS SO CRAZILY OBFUSCATED MICROSOFT. lol

@jzabroski
Copy link

jzabroski commented Oct 25, 2019
edited
Loading

@MikeVensel Well, this brought me down a rabbit hole on a Friday afternoon.

  1. FakeSign is more or less obsolete; I submitted a PR to CoreFX to fix the documentation.
  2. <PublicSign>true</PublicSign> is the way to go for NEW greenfield projects
  3. StrongNamer is the way to go for compatibility with open source projects; Jared Parsons said on twitter that he isn't convinced of the utility of making this widely accessible. LOLOLOL.
  4. Microsoft.CodeAnalysis.DesktopStrongNameProvider inside the Roslyn SDK appears to be the officially supported way from Microsoft, but it isn't packaged as an MSBuild target or something generally consumable by the public. It appears this is what /publicsign internally leverages; ideally, StrongNamer would also leverage the same API

Sigh. Microsoft never makes things relentlessly easy.

@jzabroski jzabroski mentioned this issue Oct 25, 2019
Open
@MikeVensel
Copy link

@jzabroski Oof what a way to spend a Friday. I appreciate you putting all this information together though. Signing using public keys seems like a great thing for open source projects so hopefully developers creating new products will start to move in that direction.

@StephenCleary
Copy link
Owner

Short answer: no, I have no plans to add strong-naming to AsyncEx now, for reasons described here. See also #2.

A Short History of Strong Naming in AsyncEx:

  • AsyncEx v2 was strong named. Endless problems ensued and only grew as the library's popularity grew. The strong naming was removed in v3.
  • AsyncEx v4 had a separate library that was strong named. More problems ensued to the point it became a maintenance burden. This strong named option was also removed.
  • AsyncEx v5 (prerelease) was public signed for a release or two. I had high hopes that public signing would work around the problems with strong naming, but it did not fix all the problems with strong naming, so the public signing was also removed.

I still think the .NET ecosystem would be better served by a service that auto-signs packages following a semantic versioning approach. So far, I have not had time to write this service.

@jzabroski
Copy link

@StephenCleary how is that service idea you have different from StrongNamer?

@StephenCleary
Copy link
Owner

What I'd like to see is a web service of sorts where you (or anyone) can submit a NuGet package id. This web service watches for new versions of NuGet packages matching any of the ids it monitors and:

  1. Downloads the package,
  2. Strong names it (essentially how StrongNamer works),
  3. Publishes it to NuGet as a new package, something like "AutoStrongNamed.Original.Package.Name".

All the pieces for this (monitoring, downloading, StrongNamer, publishing) are solved problems. Someone just needs to put it all together and host it somewhere.

@jzabroski
Copy link

jzabroski commented Oct 26, 2019 via email

@Muarl
Copy link
Author

Muarl commented Oct 28, 2019

Thanks for the very detailed answers. Especially as you had to answer them again. Sorry for that.

@Yvand Yvand mentioned this issue Nov 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jzabroski @StephenCleary @MikeVensel @Muarl