fluentassertions icon indicating copy to clipboard operation
fluentassertions copied to clipboard

Published 20 hours ago verified publisher icon fluentassertions

FluentAssertions package is not Authenticode signed

Open bichuga opened this issue 6 years ago • 8 comments

Description

FluentAssertions package is not Authenticode signed

Complete minimal example reproducing the issue

Our compliance requirement to use this package to prevent supply-chain attacks is that it is Strong Name and Authenticode signed. StrongName proves it was not tampered, and Authenticode proves who produced the binary.

Actual behavior:

FluentAssertions binaries are StrongName signed but not authenticode signed.

sn.exe -vf "...\fluentassertions.5.6.0.nupkg\lib\net45\FluentAssertions.dll"
Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Assembly '...\fluentassertions.5.6.0.nupkg\lib\net45\FluentAssertions.dll' is valid

However it is not authenticode signed. chktrust -v <binary> pops a dialog saying the publisher cannot be verified. Can also right click the binary and check signature to see there is none.

Versions

  • Which version of Fluent Assertions are you using? 5.6.0
  • Which .NET runtime and version are you targeting? E.g. .NET framework 4.6.1 or .NET Core 2.0. All

bichuga avatar Jan 17 '19 19:01 bichuga

@jnyrup I am not an expert in signing but according to this blog-post it seems quite easy to do. As far as I understand, you will need to update your build configuration to pass more arguments to the signing part:

signtool sign /v /ph /fd sha256 `
/f {certificate-path}.pfx `
/p {certificate-password} `
/t http://timestamp.verisign.com/scripts/timstamp.dll {dlls-to-sign}

Evangelink avatar Jun 24 '19 13:06 Evangelink

I think the biggest problem is to get a certificate. The ones we use at work are pretty expensive.

dennisdoomen avatar Jun 24 '19 16:06 dennisdoomen

Maybe you can sign code with the support of the dot net foundation? https://dotnetfoundation.org/about

eNeRGy164 avatar Jun 24 '19 17:06 eNeRGy164

You should be able to create a .pfx file out of the ssl or .crt certificate you use for the website.

Evangelink avatar Jun 25 '19 08:06 Evangelink

Normally SSL certificates for websites don't have code signing switched on in their profile, and can't be used for that purpose.

eNeRGy164 avatar Jun 25 '19 08:06 eNeRGy164

Correct. And I don't own that certificate. CloudFare is the one doing the SSL encryption.

dennisdoomen avatar Jun 25 '19 10:06 dennisdoomen

Where would we get such a certificate?

dennisdoomen avatar Oct 28 '23 18:10 dennisdoomen

https://dotnetfoundation.org/projects/benefits :)

eNeRGy164 avatar Oct 31 '23 20:10 eNeRGy164