tags:

views:

358

answers:

7
+19  Q: 

Who should own the private key used to sign a .NET assembly when its project is open-source?

More specifically, a class library assembly. My initial thoughts:

  • Have some designated administrators do all the assembly signing. But then when bug fixes and new versions are written, the binaries would ultimately depend on them being around (even if its just a small change for private reasons).
  • The key could be publicly available. But that goes against public-key cryptography practices and you lose the advantage of trust and identity.
  • Allow end-developers and distributors to sign it with their own keys. But then you lose modularization since each new signing makes it incompatible with some of the other versions.

Sure, you could just not sign the assembly. But if another project that requires their assembly to be signed references your library, you get a compile error.

+1  A: 

As far as I can remember I've never run into a signed open source project. If I needed it signed for some reason, I signed it myself. I can't really see an advantage to signing an assembly as such. If you're worried about the pre-compiled binary version being signed, then I would say just project management should have that key. A person creating a signed project though should be fully capable of adding the source code to their project, or creating the project's necessary signing and compiling it for themselves.

md5sum  2010-01-07 16:00:41
You *must* sign a binary to be able to install it in the GAC, so, yes, there is an advantage do doing so.
Craig Stuntz  2010-01-07 16:16:16
Additionally, the you must also sign it if another project references it and that other project needs to be signed for whatever reason. Otherwise, it wont even compile.
Arc  2010-01-07 17:10:28
+2  A: 

In Open Source, the "source" is open. Binaries are usually provided only for commodity.

Source does not need to be signed, if the binary is signed then the generator of the binary is also the owner of the secret key (which shall be kept secret).

Jorge Córdoba  2010-01-07 16:05:01
Disagree. Only signed assemblies can be GACced.
Craig Stuntz  2010-01-07 16:15:43
Disagree. It's pretty common for open-source to distribute official signed versions and only an authorized person can make the signed release. The source should not include the private key.
Sam  2010-01-07 16:30:40
Yeah, for commodity they do, and when they do, the official maintainer of the binary signs it. But if it's really open source, you can download the source code, generate your assembly and sign it with your own private key. Private keys are private, they shall never be distributed to any untrustworthy source (as the internet) or I could just supplant your identity so that you thing the binary that I'm giving you can be trusted when it can't.
Jorge Córdoba  2010-01-07 16:34:49
The problem exists only because of restrictions placed on .NET assemblies. It represents who owns the entire project, not just that particular binary. If it was a per-binary signature, it could still cooperate with the GAC and also be referenced by to-be-signed projects. But the fact that it's a per-project signature (or, more accurately, per-"company" signature), it also indicates its project identity, which is indeed useful for versioning and avoiding name collisions.
Arc  2010-01-07 17:40:24
+2  A: 

The question really revolves around who decides what is a release, doesn't it? If that is so, I think the releases should be signed with a personal key of the one actually being responsible for the release. If there are multiple persons responsible for creating releases there is nothing wrong with them sharing the key, except for higher risks of having to revoke/re-issue the key if one of the members of this group leaves.

In a broader scope, one has to admit, that .net doesn't really cater for re-using assemblies between multiple installed applications. Look into your SxS folder! So another way would always be for the distributor of the assembly to sign it with his own key. e.g. if a project uses log4net, it should sign the log4net assembly with its own key to take responsibility for its contents.

David Schmitt  2010-01-07 16:05:22
+4  A: 

I for one would not mind if more projects that you are probably going to just use as a refrence instead of edit and re-compile would offer a "signed" version of the dll. That would help in trusting a refrence to an existing .dll quicker than checking the code and compiling your own.

In a lot of open-source project there is kind of a "Parent" of the effort, think Linus or even John Gruber for examples. These people could hold the key or distribute one to a trusted admin for signing major releases.

Tj Kellie  2010-01-07 16:09:18
Lots of free/open source software projects provide you with a tarball or .zip file or whatever to download, along with a checksum. That way, you can tell if you're getting the real source. That sounds like a primitive form of signing to me.
David Thornley  2010-01-07 16:13:49
The checksum is a great way to verify you get what was provided without tampering or data loss. Signing an assembly also ensures it hasn't been tampered with. But it's also used as a per-project/company level of identity, whereas a checksum is a signature at the per-binary level.
Arc  2010-01-07 17:50:38
+1  A: 

Store the private key outside the source control root but referenced with a relative path. That way others can make builds using their own key. They'll be strongly signed but not official builds.

Setup an automatic build which has the full source tree and the private key. The auto-build can make official signed builds which can be released nightly or whatever. That way making official builds is automatic, so the authorized person holding the private key doesn't necessarily have to be involved (although you should have some mechanism in place for validating community contributed patches before including in an official build, but that's a separate issue really).

Sam  2010-01-07 16:29:47
+1  A: 

Strong naming is not intended to provide authenticity, validation, protection, or anything else like that. Its sole purpose is to provide a unique ID to an assembly or series of assemblies. This is so that you can have many assemblies named "Library" in the GAC, and when your application asks the runtime to load "Library", the system knows this means your "Library" assembly and not someone else's.

In light of this, I would simply include the strong name key in the source tree. If for some reason your project wants to provide authenticity or any of those other things, then you probably want Authenticode signing, which is not free and really is probably unnecessary for an open source project. If you decide to go that route and are wondering who should own the code signing key, that becomes more of a political question.

bsiegel  2010-01-07 17:57:41
+5  A: 

I've recently encountered the same problem in an open-source project that I maintain. Here is how I addressed this issue:

  • Sources are always available for dowload via the repository, but a release will consist of a snapshot of the sources, plus a compiled version.
  • Prior to making the compiled version available, I sign the assemblies with my private key.

So in your case, whoever is preparing the release should own the key. There is no need for the library developers to know about it at all.

If end-users want to recompile and sign with their own keys, that's fine. You can distinguish between the binaries of yours and others by comparing the public key that is present in the signed assemblies. Make the public key available and others can do the same.

Managing this process gets a bit cumbersome when the InternalsVisibleToAttribute is used to refer to strong-named assemblies. You can read about how I addressed that problem here.

Steve Guidi  2010-01-07 18:37:24
Good point, add InternalsVisibleAttribute to the list of strong name requirements! This could work since then nobody else can impersonate your assembly without committing code first.
Arc  2010-01-08 14:53:53

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?