Digital signing of DLL in GitHub Actions

[claudy]

Is your feature request related to a problem? Please describe. Currently, the CsvHelper.dll in the NuGet package does not have a digital signature. A digital signature would aid in verifying its authenticity and integrity.

Describe the solution you'd like The DLLs can be digitally signed after compilation as a part of the GitHub Actions. Nate McMaster's instructions are detailed and helpful. Documentation of SignTool.exe might be useful. NetNerds has an article about digitally signing PowerShell scripts in GitHub Actions. Some of that information would be relevant to signing CsvHelper.

Additional context This came about because a security audit of 3rd party dependencies found missing digital signatures. CsvHelper was one of the dependencies missing a digital signature. The assertion is that a DLL should be digitally signed to ensure integrity of the DLL's contents, i.e. it was not tampered with by a malicious actor.

[claudy]

After consideration of options, my company decided to grant an exception for CsvHelper in the security audit. Maybe someday there will be a service similar to Let's Encrypt for code-signing purposes. For most open-source projects, code-signing certificates are too expensive and provide maintainers little to no benefit.

[JoshClose]

I'm going to keep this open so I can look into in the future. I plan on using GitHub Actions to build and deploy in the future.

[claudy]

While researching options, I did find keyfactor/signserver-ce which may be relevant to you.