Git-credential-manager-for-windows: Assemblies should be signed

Created on 14 Dec 2016  路  8Comments  路  Source: microsoft/Git-Credential-Manager-for-Windows

The assemblies shipped inside the Nuget package (https://www.nuget.org/packages/Microsoft.Alm.Authentication) are not signed. This means that no signed assemblies can use this package.

Most helpful comment

Hi @whoisj.
I totally get your point and I was asking because we do sign our DLLs which forces us to have signed dependencies. I have found this tool (StrongNamer) which will avoid me to fork your project just to sign it (and probably avoid any licensing issue).

All 8 comments

I agree, and they should have been. I'll see if I can find out what happened and fix that.

Any news/ETA on this issue?

Next release will be signed correctly. Some internal time competes (eminent release of VS 2017 mostly) which are time competes. My apologies and thanks for you patience.

Hi there,
Just wondering if this ticket is still in the pipeline?

@Evangelink the latest package should have been signed. Can you confirm? I'm seeing signed binaries.

Hi @whoisj!

Sorry for the delay I had a lot of others things in the pipe. I have just made a test using Microsoft.Alm.Authentication.4.0.0.1 and I still see the Microsoft.Alm.Authentication.dll dll is not signed.
I am using the sn -vf command and it says that .\Microsoft.Alm.Authentication.dll does not represent a strongly named assembly

Could you tell me if you have a different behavior? Maybe I did something wrong.

@Evangelink oh - strong name signed. I understand now. I'm sorry, but I don't do that with the GCM. We do certificate sign the binaries, which validates that the binaries were built and published by Microsoft - but I do not strong name sign them.

There are a few reasons for this. Firstly, strong name signing is viral (and it's virality is likely the source of you asking for Microsoft.Alm to be signed). Secondly, it adds no value (there's no value in strong name signing a binary - maybe there once was, but there no longer is). Thirdly, it makes it hard for general audiences to consume the binary (see first item). Lastly, it complicates the build process / make it more expensive for me to own the GCM on a day-to-day basis.

If you need strong name signed binaries, you're more than welcome to add a sns.key and build with it yourself. That will produce strongly signed binaries for your consumption.

Hi @whoisj.
I totally get your point and I was asking because we do sign our DLLs which forces us to have signed dependencies. I have found this tool (StrongNamer) which will avoid me to fork your project just to sign it (and probably avoid any licensing issue).

Was this page helpful?
0 / 5 - 0 ratings