SixLabors.ImageSharp.Drawing.dll is missing an authenticode signature

[gulachek]

Prerequisites

• I have written a descriptive issue title
• I have verified that I am running the latest version of ImageSharp.Drawing
• I have verified if the problem exist in both DEBUG and RELEASE mode
• I have searched open and closed issues to ensure it has not already been reported

ImageSharp.Drawing version

2.1.7

Other ImageSharp packages and versions

Related issue in SixLabors.ImageSharp.3.1.12 and SixLabors.Fonts.2.1.3

Environment (Operating system, version and so on)

Windows

.NET Framework version

.NET 6+

Description

While the nuget package seems to be successfully signed, the individual SixLabors.ImageSharp.Drawing.dll component does not have an authenticode signature. See the below powershell output in the repro steps which shows what I mean between the nuget package level signature and the individual DLL signature.

My organization requires that DLL components have valid signatures. Is it possible to get a minor release with authenticode signatures?

Steps to Reproduce

Run the following in a Windows Environment.

Good: Nuget Package Signature

C:\Users\ngulache\.nuget\packages\sixlabors.imagesharp.drawing\2.1.7>dotnet nuget verify sixlabors.imagesharp.drawing.2.1.7.nupkg

Verifying SixLabors.ImageSharp.Drawing.2.1.7
Content hash: 9KwCo9Fa350cx6ckpsy8NqXQZKwir4RQ8Kj0sdCmJA7wsK9FMyfgC527Sn4l/D6bj2ditSHlhS7dGzcgGszvSQ==

Signature type: Repository
  Subject Name: CN=NuGet.org Repository by Microsoft, O=NuGet.org Repository by Microsoft, L=Redmond, S=Washington, C=US
  SHA256 hash: 1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D
  Valid from: 2/22/2024 6:00:00 PM to 5/18/2027 6:59:59 PM

Bad: Missing Authenticode Signature

PS C:\Users\ngulache\.nuget\packages\sixlabors.imagesharp.drawing\2.1.7\lib\net6.0> Get-AuthenticodeSignature .\SixLabors.ImageSharp.Drawing.dll


    Directory: C:\Users\ngulache\.nuget\packages\sixlabors.imagesharp.drawing\2.1.7\lib\net6.0

SignerCertificate                         Status                                                                                                                 Path
-----------------                         ------                                                                                                                 ----
                                          NotSigned                                                                                                              SixLabors.ImageSharp.Drawing.dll


PS C:\Users\ngulache\.nuget\packages\sixlabors.imagesharp.drawing\2.1.7\lib\net6.0> signtool verify .\SixLabors.ImageSharp.Drawing.dll
File: .\SixLabors.ImageSharp.Drawing.dll
Index  Algorithm  Timestamp
========================================
SignTool Error: No signature found.

Number of errors: 1

Images

No response

[gulachek]

Related to Fonts 490 and ImageSharp 3029

[JimBobSquarePants]

Please do not spam my issue tracker. This is not a defect. You should have used the appropriate discussion channel.

[gulachek]

I'm sorry, I didn't mean to come across as spamming. I perceived "question" as being something along the lines of troubleshooting or how to use the software. I thought a "feature request" would be requesting new functionality for the software. I thought this request most cleanly fit into an issue. Can you please let me know what the most appropriate avenue would be to discuss this? I'm happy to move the discussion there.

[JimBobSquarePants]

As mentioned above, please keep the issue tracker for actual defects. Authenticode signing of the DLL is not a functional bug, it is a packaging / compliance preference, so it should have been raised as a feature request in Discussions rather than as an issue.

NuGet packages are already repository signed, which covers integrity and authenticity for distribution. Adding Authenticode signatures to the DLLs themselves is a separate concern and comes with non trivial ongoing cost, since it requires obtaining and maintaining a trusted code signing certificate and wiring that into the build pipeline.

I agree that Authenticode can be useful in locked down environments, so I am treating this as a feature request rather than a defect. I will convert this to a Discussion to track it appropriately.