FluentAssertions package is not Authenticode signed
See original GitHub issueDescription
FluentAssertions package is not Authenticode signed
Complete minimal example reproducing the issue
Our compliance requirement to use this package to prevent supply-chain attacks is that it is Strong Name and Authenticode signed. StrongName proves it was not tampered, and Authenticode proves who produced the binary.
Actual behavior:
FluentAssertions binaries are StrongName signed but not authenticode signed.
sn.exe -vf "...\fluentassertions.5.6.0.nupkg\lib\net45\FluentAssertions.dll"
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Assembly '...\fluentassertions.5.6.0.nupkg\lib\net45\FluentAssertions.dll' is valid
However it is not authenticode signed.
chktrust -v <binary>
pops a dialog saying the publisher cannot be verified. Can also right click the binary and check signature to see there is none.
Versions
- Which version of Fluent Assertions are you using? 5.6.0
- Which .NET runtime and version are you targeting? E.g. .NET framework 4.6.1 or .NET Core 2.0. All
Issue Analytics
- State:
- Created 5 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Assemblies in NuGet package are not signed with ...
Is it possible to sign the assemblies with Authenticode ? C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64>signtool verify ...
Read more >FluentAssertions 6.11.0
Version Downloads Last updated
6.11.0 7,225,877 4 months ago
6.10.0 7,904,575 6 months ago
6.9.0 4,062,868 7 months ago
Read more >NuGet signed-package verification - .NET CLI
Learn about how NuGet performs signed-package verification using root stores that are valid for code signing and timestamping.
Read more >Auth0.AuthenticationApi 6.5.5
It is not authenticode or tamper protection. - User and role permissions endpoints in UsersClient and RolesClient now correctly honoring paging.
Read more >Error - Install-Package : Authenticode issuer 'System.Object ...
The signing certificate is from our AD PKI system and is trusted and it does not change/has not changed in any way. Obviously...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Maybe you can sign code with the support of the dot net foundation? https://dotnetfoundation.org/about
Correct. And I don’t own that certificate. CloudFare is the one doing the SSL encryption.