Ask for publishing a nuget with signed dll #653
Replies: 4 comments 5 replies
-
|
Hi, not appose to this in principle but would like to investigate the
consequences first just to make sure it doesn't cause issues for others.
Unfortunately I'm unlikely to have the time over the next few weeks at
least just too busy with other priorities!
…On Sat, 7 Oct 2023, 02:19 Joe Yan, ***@***.***> wrote:
Hi community,
Could the owner please publish a nuget with signed dll? In many orgs it
requires the dll to be strong named, it would be much easier if the nuget
comes with a signed dll. Local signing is tricky and it becomes a real
problem when dealing with CI/CD
—
Reply to this email directly, view it on GitHub
<#653>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAB7HSAZZN5B6RWEH755HTTX6AOQNAVCNFSM6AAAAAA5V7L2I6VHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZVG4YDQNBXHA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Got it. Is there a possibility for other devs in the community to handle this work if there is some instruction to follow? I would love to contribute if possible |
Beta Was this translation helpful? Give feedback.
-
|
And it wouldn't affect others if we publish a new nuget like tesseract-signed. There are plenty of examples which follow the same pattern, for example, murmurhash and murmurhash-signed: https://www.nuget.org/packages?q=murmurhash |
Beta Was this translation helpful? Give feedback.
-
|
Yes, we use strong-named signed assemblies. Generally the NuGet feed needs to provide that. You can strong-name sign yourself by downloading into a static location and applying a tool but then the NuGet feed can’t be used (since it doesn’t contain your signed version). I don’t recall the name of the signing tool off hand.
Tom Hintz
Milner Technologies, VP Product Development
From: Joe Yan ***@***.***>
Sent: Monday, October 9, 2023 10:44 AM
To: charlesw/tesseract ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [charlesw/tesseract] Ask for publishing a nuget with signed dll (Discussion #653)
[External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.]
Got it. Is there a possibility for other devs in the community to handle this work if there is some instruction to follow? I would love to contribute if possible
—
Reply to this email directly, view it on GitHub<https://protect-us.mimecast.com/s/ksqvCR6wVnsnrp7ZT9rj2s?domain=github.com>, or unsubscribe<https://protect-us.mimecast.com/s/SIYaCVOlVrt0lEOQTzaKb2?domain=github.com>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Faced the same issue during the development in our org, it's an urgent need for this project to be widely adopted |
Beta Was this translation helpful? Give feedback.
-
|
It isn’t clear to me what the advantage of having both a signed and unsigned feed would be. Signing only affects dependencies and all dependencies are already strong-named. Users of the dependency are not affected if they aren’t themselves strong-name signed. Therefore everyone can use just the strong-named feed.
Tom Hintz
Milner Technologies, VP Product Development
From: Joe Yan ***@***.***>
Sent: Monday, October 9, 2023 11:17 AM
To: charlesw/tesseract ***@***.***>
Cc: Tom Hintz ***@***.***>; Comment ***@***.***>
Subject: Re: [charlesw/tesseract] Ask for publishing a nuget with signed dll (Discussion #653)
[External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.]
And it wouldn't affect others if we publish a new nuget like tesseract-signed. There are plenty of examples which follow the same pattern, for example, murmurhash and murmurhash-signed: https://www.nuget.org/packages?q=murmurhash<https://protect-us.mimecast.com/s/Ov9fCgJ69KhPljv4iN1-Ek?domain=nuget.org>
—
Reply to this email directly, view it on GitHub<https://protect-us.mimecast.com/s/HcaaCjRL9MuljwzZuRPOpl?domain=github.com>, or unsubscribe<https://protect-us.mimecast.com/s/R-uhCkRD0KuYnRDoFQD40d?domain=github.com>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
As Charles states, he needs time to further investigate the consequences of doing such a change to avoid impact on existing users, having a signed feed would completely avoid impact on existing users, which saves time for both the owner and consumer |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the discussion! I'd say let's just make it signed which sounds
like it shouldn't affect existing users. Can always go the separate signed
route later if required however would prefer not to minimise overhead.
Generally don't have quite as much time these days 🙂
…On Tue, 10 Oct 2023, 02:29 Joe Yan, ***@***.***> wrote:
As Charles states, he needs time to further investigate the consequences
of doing such a change to avoid impact on existing users, having a signed
feed would completely avoid impact on existing users, which saves time for
both the owner and consumer
—
Reply to this email directly, view it on GitHub
<#653 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAB7HSDAHAQE7K7XSTEC27TX6QJ5PAVCNFSM6AAAAAA5V7L2I6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TEMZRHAYTS>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Sounds good, please let us know if we can help accelerate the signing process, thank you so much! |
Beta Was this translation helpful? Give feedback.
-
Hi community,
Could the owner please publish a nuget with signed dll? In many orgs it requires the dll to be strong named, it would be much easier if the nuget comes with a signed dll. Local signing is tricky and it becomes a real problem when dealing with CI/CD
Beta Was this translation helpful? Give feedback.
All reactions