Docs: Authenticode and .NET/MSBuild

Docs team: do you know of an article that discusses Authenticode in the context of .NET? It would be nice to link to something more pertinent.

// @onovotny

@JamesNK these are some that I found:

• https://docs.microsoft.com/visualstudio/deployment/clickonce-and-authenticode
• https://docs.microsoft.com/dotnet/framework/unmanaged-api/authenticode/

Not sure if any of these is what you're looking for?

Not really. There is a blog post that talk about Authenticode signing and .NET but it is completely out of date:

https://blogs.msdn.microsoft.com/shawnfa/2005/12/13/authenticode-and-assemblies/

I think it is a gap in the docs.

Could be @JamesNK!

Does anyone actually use Authenticode for .Net assemblies? Is it usable cross-platform?

If not, maybe it shouldn't be recommended here?

Many people and organizations Authenticode .NET assemblies. It's the only way to guarantee provenance and ensure it wasn't tampered with.

The fact that most developers don't is likely due to the cost of the certs. We should be working to make it easier/cheaper, etc. The underlying tech is worthwhile.

Here's a cross plat version
https://linux.die.net/man/1/signcode

It can sign and validate signatures on any platform Mono supports.

Next step is to get those Authenticode tools ported to .NET Core. Which will happen.

All the tools are in Mono here: https://github.com/mono/mono/tree/master/mcs/tools/security

The fact that most developers don't is likely due to the cost of the certs.

And it is never talked about to .NET devs, or well documented.