stackoom
  简体   繁体   中英

Should Open-Source Libraries be Digitally Signed

 原文  2011-04-15 14:15:13       c#/ .net/ open-source/ digital-signature/ authenticode

Question

It is a good practice to always sign executable files (exe, dll, ocx, etc.). On the other hand, with an open source project it may considered disregarding the contributions to the project from all other developers.

This is quite an ethical dilemma for me and I would like to hear more opinions on this from either people who have been in a similar situation or people who contributed to an open source project.

I would like to note that this question is for an open-source project that was written in C# using .NET 4 so when user clicks the executable, he or she will be prompted a warning stating that the file is from an untrusted publisher if it is not digitally signed.

By the way, the assemblies all have strong-naming (signature) already, but they are not digitally signed yet (ie using a Verisign Code signing certificate).

2 answers

solution1
 4 ACCPTED  2011-04-15 14:28:52

.Net is a diffrent beast as many features require (especially libraries) require the file to be signed with a strong name key, but those can be self signed with no complaint from the final product (it uses the programs cert not the libraries to pop up that message box you refer to in your original question).

However in the general case I see nothing wrong with a group signing the official distro with a private key. If you do something to the source and recompile technically "the file is from an untrusted publisher" as I may trust Canonical but I do not trust you. As long as the executable being not being signed from a specific publisher does not stop it from being used in the manner it was intended (the tivoization clause in the GPL) I see no reason NOT to sign your executables.

solution2
 2  2011-04-15 15:18:20

Saying that this is "quite an ethical dilemma" is probably blowing it out of proportion. You definitely want to code sign your executables, and I don't really see the problem with you signing it. For example, TortoiseSVN is signed by "Stefan Kueng, Open Source Developer".

That said, it is probably a good idea to form some kind of legal entity for your project, and then get the code-signing certificate in the name of your project's entity . That way, rather than you personally signing the executable (and thus "taking all the credit"), your project's name shows up as the publisher.

If you were in the US, I would suggest either forming a LLC or possibly a 501(c)(3) organization , which is exempt from income tax and allows individuals to make tax-deductable donations to the project. ( Many open source projects organize as 501(c)(3) entities, including WordPress and jQuery .) I see you're in Turkey, so you'll have to research your local requirements for forming some kind of legal entity; once formed, you'll be able to get a certificate from a CA in the name of your project's entity rather than your own.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Extensibility without Open-Source What open-source SIP clients (or libraries) there are that could be freely extended by developers? Is there an open-source implementation of an XPathNavigator for POCOs? Is it possible to create digitally signed xml using open ssl? How do you organise open-source Visual Studio projects with open-source dependencies? Can somebody help me modifying an open-source software (KeePass)? any open-source/free .NET profanity filter for website? Best open-source UI Framework for WinForms in 2022? Digitally signed e-mail with attachment Check whether a given executable is digitally signed and valid?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM