starred/StrongNameSigner
1
0
Fork 0
mirror of https://github.com/brutaldev/StrongNameSigner.git synced 2026-04-25 11:26:04 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #29] NuGet package not installed in .NET Standard 1.3 library #25

New issue
Closed
opened 2026-02-25 21:30:29 +03:00 by kerem · 13 comments
kerem commented 2026-02-25 21:30:29 +03:00
Owner
Copy link

Originally created by @epsitec on GitHub (Jan 19, 2017).
Original GitHub issue: https://github.com/brutaldev/StrongNameSigner/issues/29

I am working in Visual Studio 2015 (Update 3) and I created a *.csproj as a Class Library (PCL) which I then migrated to .NET Standard 1.3, by going to the properties of the project file, under Library and change the Targeting to .NETStandard1.3.

I then installed NuGet package Brutal.Dev.StrongNameSigner.2.1.0, expecting it to pop up in my packages folder. But nothing happens. The strong name signer tool cannot be used in conjunction with a .NET Standard PCL project.

I had to add another standard .NET project to my solution and include the NuGet package for Brutal.Dev.StrongNameSigner.2.1.0 over there in order to get it into packages.

Originally created by @epsitec on GitHub (Jan 19, 2017). Original GitHub issue: https://github.com/brutaldev/StrongNameSigner/issues/29 I am working in Visual Studio 2015 (Update 3) and I created a `*.csproj` as a _Class Library (PCL)_ which I then migrated to .NET Standard 1.3, by going to the properties of the project file, under _Library_ and change the _Targeting_ to `.NETStandard1.3`. I then installed NuGet package `Brutal.Dev.StrongNameSigner.2.1.0`, expecting it to pop up in my _packages_ folder. But nothing happens. The strong name signer tool cannot be used in conjunction with a .NET Standard PCL project. I had to add another standard .NET project to my solution and include the NuGet package for Brutal.Dev.StrongNameSigner.2.1.0 over there in order to get it into _packages_.
kerem closed this issue 2026-02-25 21:30:29 +03:00
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jan 19, 2017):

The package does not define any specific framework, it's a tool so it won't target any framework because it does not add references. Will have to investigate this one when I get some time.

<!-- gh-comment-id:273725721 --> @brutaldev commented on GitHub (Jan 19, 2017): The package does not define any specific framework, it's a tool so it won't target any framework because it does not add references. Will have to investigate this one when I get some time.
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@epsitec commented on GitHub (Jan 19, 2017):

@onovotny might be of some help here!

<!-- gh-comment-id:273727119 --> @epsitec commented on GitHub (Jan 19, 2017): @onovotny might be of some help here!
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@clairernovotny commented on GitHub (Jan 19, 2017):

Project.json does not install packages into the solution package folder. Instead it uses a shared per user location.

<!-- gh-comment-id:273768664 --> @clairernovotny commented on GitHub (Jan 19, 2017): Project.json does not install packages into the solution package folder. Instead it uses a shared per user location.
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@epsitec commented on GitHub (Jan 19, 2017):

Ah, so the issue is with the tooling. So I can expect to have this solved with the new and shiny *.csproj in Visual Studio 2017?

<!-- gh-comment-id:273773329 --> @epsitec commented on GitHub (Jan 19, 2017): Ah, so the issue is with the tooling. So I can expect to have this solved with the new and shiny `*.csproj` in Visual Studio 2017?
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@clairernovotny commented on GitHub (Jan 19, 2017):

Depends on what you're trying to do. Nuget v3 in general uses a per user location instead of per solution location. It was a significant optimization. The only way to install a package to a specific directory is by using the nuget install command and specifying a directory.

<!-- gh-comment-id:273780146 --> @clairernovotny commented on GitHub (Jan 19, 2017): Depends on what you're trying to do. Nuget v3 in general uses a per user location instead of per solution location. It was a significant optimization. The only way to install a package to a specific directory is by using the nuget install command and specifying a directory.
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@epsitec commented on GitHub (Jan 19, 2017):

Our build environment requires that the packages get installed in a packages folder under the control of the solution (for instance because some of the unsigned assemblies in the packages need to be signed, and we don't want to do that in a global user location).

Switching to *.csproj without project.json on Visual Studio 2017 to compile .NET Standard class libraries means that msbuild will be in charge, right? Can we then still specify the path of the packages folder used by the solution?

<!-- gh-comment-id:273781066 --> @epsitec commented on GitHub (Jan 19, 2017): Our build environment requires that the packages get installed in a _packages_ folder under the control of the solution (for instance because some of the unsigned assemblies in the packages need to be signed, and we don't want to do that in a global user location). Switching to `*.csproj` without `project.json` on Visual Studio 2017 to compile _.NET Standard_ class libraries means that msbuild will be in charge, right? Can we then still specify the path of the _packages_ folder used by the solution?
kerem commented 2026-02-25 21:30:29 +03:00
Author
Owner
Copy link

@clairernovotny commented on GitHub (Jan 19, 2017):

In VS 2017, it uses <PackageReference> in the csproj and still uses a shared location. I believe there is a way to specify a specific packages location within a nuget.config file that you could have alongside your sln, but keep in mind that with netstandard, it has a large footprint. Also, package contents are re-validated on restore and if the contents don't match the targets, they're re-restored. You basically cannot alter the contents of a package's directory.

If you need to use a tool to alter a package contents, then you'd need to do it at build-time in the pipeline and put it somewhere like the obj dir (or some other temp location). You can't really modify nuget references in-place.

<!-- gh-comment-id:273784147 --> @clairernovotny commented on GitHub (Jan 19, 2017): In VS 2017, it uses `<PackageReference>` in the csproj and still uses a shared location. I believe there is a way to specify a specific packages location within a nuget.config file that you could have alongside your sln, but keep in mind that with netstandard, it has a large footprint. Also, package contents are re-validated on restore and if the contents don't match the targets, they're re-restored. You basically cannot alter the contents of a package's directory. If you need to use a tool to alter a package contents, then you'd need to do it at build-time in the pipeline and put it somewhere like the obj dir (or some other temp location). You can't really modify nuget references in-place.
kerem commented 2026-02-25 21:30:30 +03:00
Author
Owner
Copy link

@epsitec commented on GitHub (Jan 19, 2017):

Thank you, I'll give Visual Studio 2017 a try when it gets ripe for larger public consumption.
For now we are using a NuGet.config file which looks like this:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <config>
	<!-- https://docs.nuget.org/consume/nuget-config-settings -->
    <add key="repositoryPath" value="./packages" />
  </config>
</configuration>

I am aware of the fact that modifying the packages contents is a slippery solution, but until now, the only really practical solution to consume unsigned NuGet assemblies is to let the StrongNameSigner tool do its magic and strong-name the assemblies in the <Target Name="BeforeBuild"> step.

Another approach would be to use a custom NuGet server which would strong name the unsigned assemblies on the fly, as explained in Maarten Balliauw's blog post.

<!-- gh-comment-id:273786225 --> @epsitec commented on GitHub (Jan 19, 2017): Thank you, I'll give Visual Studio 2017 a try when it gets ripe for larger public consumption. For now we are using a NuGet.config file which looks like this: ```xml <?xml version="1.0" encoding="utf-8"?> <configuration> <config> <!-- https://docs.nuget.org/consume/nuget-config-settings --> <add key="repositoryPath" value="./packages" /> </config> </configuration> ``` I am aware of the fact that modifying the `packages` contents is a slippery solution, but until now, the only really practical solution to consume unsigned NuGet assemblies is to let the `StrongNameSigner` tool do its magic and strong-name the assemblies in the `<Target Name="BeforeBuild">` step. Another approach would be to use a custom NuGet server which would strong name the unsigned assemblies on the fly, as explained in [Maarten Balliauw's blog](https://blog.maartenballiauw.be/post/2014/09/10/automatically-strong-name-signing-nuget-packages.html) post.
kerem commented 2026-02-25 21:30:30 +03:00
Author
Owner
Copy link

@clairernovotny commented on GitHub (Jan 19, 2017):

@epsitec the nuget config file is your best option for now, but as mentioned, it's tough as restore will overwrite things.

Just curious what's driving the need for this to begin with? StrongNaming is not a security measure; Authenticode signing handles that.

<!-- gh-comment-id:273788644 --> @clairernovotny commented on GitHub (Jan 19, 2017): @epsitec the nuget config file is your best option for now, but as mentioned, it's tough as restore will overwrite things. Just curious what's driving the need for this to begin with? StrongNaming is not a security measure; Authenticode signing handles that.
kerem commented 2026-02-25 21:30:30 +03:00
Author
Owner
Copy link

@epsitec commented on GitHub (Jan 19, 2017):

Our DLLs and EXEs and signed with Authenticode and we use that to secure against tampering.

Strong names happen to be handy to classify assemblies based on where they come from. We use reflection a lot, and being able to identify an assembly as ours very quickly is a good thing. And some part of our code relies on the strong name to decide whether a plug-in may be loaded or not.

Should we ditch the strong names altogether and rely on Authenticode (or on naming conventions) for what we do now? I don't really know what the implications would be. And this would mean that we would have to remove strong names in all our assemblies, and products...

<!-- gh-comment-id:273794335 --> @epsitec commented on GitHub (Jan 19, 2017): Our DLLs and EXEs and signed with Authenticode and we use that to secure against tampering. Strong names happen to be handy to classify assemblies based on where they come from. We use reflection a lot, and being able to identify an assembly as _ours_ very quickly is a good thing. And some part of our code relies on the strong name to decide whether a plug-in may be loaded or not. Should we ditch the strong names altogether and rely on Authenticode (or on naming conventions) for what we do now? I don't really know what the implications would be. And this would mean that we would have to remove strong names in all our assemblies, and products...
kerem commented 2026-02-25 21:30:30 +03:00
Author
Owner
Copy link

@clairernovotny commented on GitHub (Jan 19, 2017):

I would say that you'd be better off validating the authenticode signature if you're worried about tampering and origin. Anyone can do a "public sign" of an assembly using only the public key and if strong name validation is disabled (which it is by default unless it's in the GAC, in another appdomain, or shadow copied), then nothing is preventing someone from modifying and resigning the assembly. Only validating the authenticode signature and the certificate properties would give you that.

So any code making security decisions based on a strong name is inherently broken.

<!-- gh-comment-id:273795391 --> @clairernovotny commented on GitHub (Jan 19, 2017): I would say that you'd be better off validating the authenticode signature if you're worried about tampering and origin. Anyone can do a "public sign" of an assembly using only the public key and if strong name validation is disabled (which it is by default unless it's in the GAC, in another appdomain, or shadow copied), then nothing is preventing someone from modifying and resigning the assembly. Only validating the authenticode signature and the certificate properties would give you that. So any code making security decisions based on a strong name is inherently broken.
kerem commented 2026-02-25 21:30:30 +03:00
Author
Owner
Copy link

@epsitec commented on GitHub (Jan 19, 2017):

I was not aware of the fact that anyone could do a public sign without having to first disable strong name validation via the registry. Thank you very much. I now better understand why there was all this debate about signing (or not) assemblies over a year ago.

<!-- gh-comment-id:273798555 --> @epsitec commented on GitHub (Jan 19, 2017): I was not aware of the fact that anyone could do a _public sign_ without having to first disable strong name validation via the registry. Thank you very much. I now better understand why there was all this debate about signing (or not) assemblies over a year ago.
kerem commented 2026-02-25 21:30:30 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jan 19, 2017):

The strong name signer is literally tampering with your assemblies an re-applying the strong name... The public key header section is well known and you can easily add it again. Authenticode has it's failures as well, such as introducing altered wintrust.dll files that always pass the digital signature check and doing basic P/Invoke interception (there is no managed way of checking a signature). The barriers you may put in place to prevent loading files that aren't your just make it difficult for most to circumvent, but if someone really wanted to there will unfortunately always be a way around it.

<!-- gh-comment-id:273803862 --> @brutaldev commented on GitHub (Jan 19, 2017): The strong name signer is literally tampering with your assemblies an re-applying the strong name... The public key header section is well known and you can easily add it again. Authenticode has it's failures as well, such as introducing altered `wintrust.dll` files that always pass the digital signature check and doing basic P/Invoke interception (there is no managed way of checking a signature). The barriers you may put in place to prevent loading files that aren't your just make it difficult for most to circumvent, but if someone really wanted to there will unfortunately always be a way around it.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v3.6.5
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.1
v3.5.0
v3.4.0
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.1
v3.2.0
v3.1.1
v3.1.0
v2.9.1
v2.9.0
2.7.1
2.7.0
2.6.0
2.4.0
v2.3.0
v2.2.0
v2.1.4
v2.1.3
v2.1.2
v2.1.0
v2.0.0
v1.8.0
v1.7.0
v1.6.1
v1.5.1-2
v1.5.0
v1.5.1
v1.4.9
v1.4.8
v1.4.7
v1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4
v1.3.0.0
1.2
Labels
Clear labels   
bug

   
duplicate

   
duplicate

   
enhancement

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
duplicate
duplicate
enhancement
invalid
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/StrongNameSigner#25
No description provided.