risks of signing application assemblies
https://stackoverflow.com/questions/6814753
-
25-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We consider to put one of our assemblies in the GAC for the purpose of versioning. This means this assembly must be signed and each other assembly it uses (e.g. 3rd party) must also be signed. Only the 3rd party vendor can do the signature. Is there a practical risk that some vendors will not supply a signed version and we are limitting ourselves?
Solution
The risk is not applicable.
You can only put an assembly in the GAC if it depends only on other GAC assemblies.
So your 3rd party libs should already be in the GAC.
If they are not, you can fake it (see @Preet Sangha) but then you become the publisher of those libs. And sharing those binaries with other apps will (can) not happen.
OTHER TIPS
You can always sign a third party one with ilmerge.
there's a link on my blog here: http://preetsangha.blogspot.com/2007/10/signing-third-party-assembly.html
Yes there is a risk, but 3rd Party vendors should be signed if they are appropriate for the GAC. You should be able to ask for them to be signed if they are not.
IMO, it is a risk, but not a major one, especially if you have an existing solution that you can verify is all signed.
