Code Sign release artifacts #1882
Comments
|
I would consider it but I'd appreciate some info on how to set that up. If it's something that I can easily do, then absolutely. |
|
Are you automating the build process for the nuget package? or do you build it on your workstation before shipping it? Usually the process is to obtain a code signing certificate and use https://learn.microsoft.com/en-us/nuget/create-packages/sign-a-package I would use something like this to automate it in the csproj <Target Name="PostPublish" AfterTargets="Publish" Condition="'$(Configuration)|$(Platform)' == 'Release|AnyCPU'">
<Exec Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' " Command=""C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 mailkit.dll mimekit.dll" WorkingDirectory="$(PublishDir)" />
</Target> |
|
Just a supplemental, if you are signing locally you will need a hardware key along the lines of a yubikey(https://www.yubico.com/products/yubikey-fips/). Otherwise there are cloud signing services for CI/CD. |
|
I'm currently building the final nuget packages locally on my machine, but I also have CI/CD pipelines that publish nuget packages to myget.org (instead of nuget.org). I would not be opposed to shifting over to an automated release pipeline - I've been considering it for a while. I do have a Yubikey, so that isn't an issue if I end up publishing locally. What services could/should I look into if I decide to work on writing an automated release pipeline this weekend? |
|
Looks like the .NET Foundation provides code-signing support which MimeKit/MailKit are technically a part of, but in order to take advantage of that, I'd need to move these projects over to the .NET Foundation's github org which I am kinda hesitant about doing. I kinda like having complete ownership of these 2 projects. I think technically I've gotten away with not doing that so far only because MimeKit/MailKit were some of the first original projects that were part of the .NET Foundation when it was founded. |
|
If you are doing manual builds of the nugets and have a yubikey, I suggest just getting a code sign certificate and changing your build process slightly. If you automate it by going via .NET foundation, then you will probably get a hand from the team there in setting up a proper deployment pipeline, which could help you in the longer term by reducing your deployment overhead. I understand if you are hesitant to migrate these projects to .net foundation github though. You have some amount of independence here. |
|
@jstedfast have you had a chance to look into it a bit more? I think ultimately it is up to you how you want to approach it. CI/CD pipelines are a good approach, but would require some sort of cloud signing service. I have a github project and my plan was manual builds for the nuget so I can code sign it. Cloud services were quite expensive in comparison. |
|
Sorry, I've just been very busy lately. Starting a new job today so this is kind of on the back-burner for a bit since it's a little more involved than I had hoped. |
Both
MailKitandMimeKitdo not code sign the output dlls. This has come up in an audit and I am wondering if you would consider Code Signing the releases?The text was updated successfully, but these errors were encountered: