Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Who should own the private key used to sign a .NET assembly when its project is open-source? [closed]

More specifically, a class library assembly. My initial thoughts:

  • Have some designated administrators do all the assembly signing. But then when bug fixes and new versions are written, the binaries would ultimately depend on them being around (even if its just a small change for private reasons).
  • The key could be publicly available. But that goes against public-key cryptography practices and you lose the advantage of trust and identity.
  • Allow end-developers and distributors to sign it with their own keys. But then you lose modularization since each new signing makes it incompatible with some of the other versions.

Sure, you could just not sign the assembly. But if another project that requires their assembly to be signed references your library, you get a compile error.

like image 360
Joe Avatar asked Jan 07 '10 15:01

Joe


People also ask

How do I sign an assembly in Visual Studio?

Create and sign an assembly with a strong name by using Visual Studio. In Solution Explorer, open the shortcut menu for the project, and then choose Properties. Under the Build tab you'll find a Strong naming node. Select the Sign the assembly checkbox, which expands the options.

Why do we sign an assembly?

A very important reason to sign an assembly is so you can be sure it is your assembly. Since the private key is yours, nobody else can sign an assembly with that same key. This means that when the public key of an assembly is one you know (you can retrieve this using the GetType().

Where is public key embedded while signing an assembly?

Your public key is stored in the manifest. The manifest file is digitally signed with your private key, and this signature is stored in a nonhashed segment of the assembly. You develop some code that references some other class of another strong-named assembly.

How do you check if an assembly is signed?

To detect whether the assembly file is signed or not, right click on the file and click the 'Properties' from the context menu. If you see a 'Digital Signatures' tab in the properties window, that means, the file is signed by a digital signature (as shown below).


2 Answers

I've recently encountered the same problem in an open-source project that I maintain. Here is how I addressed this issue:

  • Sources are always available for dowload via the repository, but a release will consist of a snapshot of the sources, plus a compiled version.
  • Prior to making the compiled version available, I sign the assemblies with my private key.

So in your case, whoever is preparing the release should own the key. There is no need for the library developers to know about it at all.

If end-users want to recompile and sign with their own keys, that's fine. You can distinguish between the binaries of yours and others by comparing the public key that is present in the signed assemblies. Make the public key available and others can do the same.

Managing this process gets a bit cumbersome when the InternalsVisibleToAttribute is used to refer to strong-named assemblies. You can read about how I addressed that problem here.

like image 75
Steve Guidi Avatar answered Oct 15 '22 11:10

Steve Guidi


I for one would not mind if more projects that you are probably going to just use as a refrence instead of edit and re-compile would offer a "signed" version of the dll. That would help in trusting a refrence to an existing .dll quicker than checking the code and compiling your own.

In a lot of open-source project there is kind of a "Parent" of the effort, think Linus or even John Gruber for examples. These people could hold the key or distribute one to a trusted admin for signing major releases.

like image 34
Tj Kellie Avatar answered Oct 15 '22 12:10

Tj Kellie