mirror of
https://github.com/brutaldev/StrongNameSigner.git
synced 2026-04-25 11:26:04 +03:00
[GH-ISSUE #73] Transitive dependencies from PackageReferences are not investigated/signed #61
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @DoctorVanGogh on GitHub (Oct 27, 2022).
Original GitHub issue: https://github.com/brutaldev/StrongNameSigner/issues/73
I've come across a tricky issue with StrongNameSigner.
If you have a nuget package referenced via
PackageReferencebut that package is (mostly) a metapackage - meaning it has a lots of dependencies into other nuget packages - StrongNameSigner will only - if ever - sign the direct dependency.If you have dependencies like
Only the direct assemblies from Foo will ever get looked at.
Here's an example project & program:
SNS will not sign anything in this situation.
And of course, the resulting assembly wont run :(
Should this be supported by SNS?
@brutaldev commented on GitHub (Oct 27, 2022):
This should be supported and should work because for each referenced assembly the entire dependency tree is traversed and all unsigned references will get signed and their references changed in the parent.
Thanks for the example code, will reproduce this and see if it can be fixed. I think your mention of "metepackage" might be the root cause because there is not direct reference to an assembly to start traversing from.
@nickrandolph commented on GitHub (Dec 13, 2022):
@brutaldev doesn't the code exclude any references coming from nuget packages?
see
github.com/brutaldev/StrongNameSigner@c38d42ab8d/src/Brutal.Dev.StrongNameSigner/AutomaticBuildTask.cs (L73)@dansiegel commented on GitHub (Dec 13, 2022):
technically I believe that these lines would also exclude NuGet references. This seems like the wrong approach as you likely want any unsigned references (particularly NuGet references) to also be signed.
github.com/brutaldev/StrongNameSigner@c38d42ab8d/src/Brutal.Dev.StrongNameSigner/AutomaticBuildTask.cs (L68-L71)