I manage an open-source project and want to sign Binaries released in this project's binary package. I am I use visual studio csproj and sln files to distribute these files as a part of the source package of the project and manage my project.
How can I sign my production binaries and do not distribute the snk key-pair file to me? If I use Visual Studio to sign assemblies, then each project file requires a copy of the key-pair to create it now
Edit : Another warning is that in some assembly, I have no problem sharing the key pair. Access project grant friend via InternalVisibleToAttribute , and create those friends through a project reference. As a result, such assemblies will have to use a strong name while mentioning a signature assembly. However, if the key-pair is not distributed, how can the end-user make the source and maintain the project relationship? If a floating key-pair file is used, the public key token of signed assemblies, by breaking the InternalsVisibleToAttribute references,
You must not deliver keypair The strong name is to verify that the new version of the assembly comes from the same publisher.
If any other developer wants to add your project to the branch, then it will generate its keypayer and it will effectively show that its version is not with you so that other parliaments that depend on you Will not load until they are compiled again. It is not always convenient but it protects you from someone who issues a malicious version of the assembly and secretly distributes it.
No comments:
Post a Comment