Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Signing binaries of open-source projects

Tags:

.net

code-signing

open-source

code-signing-certificate

assembly-signing

I tried to use ServiceStack in my current project but found the binaries released were not strong named so i couldn't use it out of the box. When asking on GitHub "why" I got the following answer:

it's virally toxic and hinders binding, upgrading, development, deployment, etc.

mythz was very laconic so I didn't want to bother him more and asking here. I use a lot of open-source .NET projects like AutoMapper, NUnit, Moq, log4net, Ninject, etc. and their releases are all strong named. Found similar question here, on SO, but it doesn't help me. Is it normal practice in OSS? Why not release both signed and unsigned binaries?

like image 974
UserControl Avatar asked Jul 25 '12 18:07

UserControl

People also ask

What is binary signing?

Signed binary is very similar to binary, only that it includes negative numbers as well. The sign of the binary number is determined by the leading (furthest left) digit. If it is a 1, then it is negative, and the magnitude, or absolute value, can be found by flipping all 1's to 0's and 0's to 1's.

How can I get a free code signing certificate?

There are no free code signing certificates. And be dubious of anyone that says they can offer you free code signing certificate for free. The short answer is there are compliance constraints that prevent it, and economic incentives to abide those constraints.

What are code signing certificates?

Code Signing Certificates are used by software developers to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party.

1 Answers

Here's an existing discussion on reasons why Strong Naming is a bad idea for Open Source projects:

https://groups.google.com/forum/?fromgroups#!topic/getglimpse-dev/pXXazMOOdjE

Here is a nightmare story from using it:

http://haacked.com/archive/2012/02/16/changing-a-strong-name-is-a-major-breaking-change.aspx

I've personally been in 2 teams that have suffered through 2 generations of Log4Net that have tried to use assemblies referencing 2 different strong-named versions of Log4Net in the same project - Wasting lots of time and effort trying to make this work is not fun, nor is it something we plan to subject ourselves or mandate all our users too.

Users that want a strong-named version are free to sign their own clone/fork of the public ServiceStack repos.

If there is demand for it, we will consider maintaining our own "Officially Singed" commercial versions of our libraries.

like image 107
mythz Avatar answered Sep 27 '22 19:09

mythz
Sign in to Comment

Related questions

Upload Speed Issue : HttpWebRequest [duplicate]
Change expired password without "Password Expired dialog box"
Assembly Binding Redirect to a lower version
Upgrade a bootstrapper bundle if the same version is detected
How to get 64-bit "program files" directory in 32-bit Application
Custom Mapping with AutoMapper
Are you using BizTalk? If so, how are you using it? [closed]
How to change culture to a DateTimepicker or calendar control in .Net
XNA - Keyboard text input
How to Unit Test Asp.net Membership?
What is System.ContextBoundObject?
MEF: Where should I put the CompositionContainer?
Better Alternative to Case Statement
Why not all countries are presented in CultureInfo.GetCultures()?
How to find what depends on a specific version of a specific dependency?
decent log viewer that works with NLog [closed]
Is the DataMember IsRequired attribute in combination with a Nullable type contradictory?
What to use instead of the "lock" statement when the code is running on multiple machines?
How do I improve teamcity build performance?
Overwrite customattribute on derived class

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!