| Bug #87101 | Strong named assemblies without provided private key in repository | ||
|---|---|---|---|
| Submitted: | 17 Jul 2017 22:00 | Modified: | 18 Jul 2017 17:00 |
| Reporter: | Laurents Meyer (OCA) | Email Updates: | |
| Status: | Not a Bug | Impact on me: | |
| Category: | Connector / NET | Severity: | S2 (Serious) |
| Version: | OS: | Any | |
| Assigned to: | CPU Architecture: | Any | |
[18 Jul 2017 17:00]
Roberto Ezequiel Garcia Ballesteros
Hi, In order to compile the projects, we provided a public key to create a delayed or partial signing assembly: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/delay-sign-assembly Unfortunately to run the tests you need a full-signed assembly, but you can disable the strong name validation: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/how-to-disable-the-strong-na... I do not recommend to do this in a production environment and it’s always a good practice to re-enable the strong name validation after finishing your tests. Regards, Roberto
Description: By strong naming the assemblies and then omitting the private key in the repository, it is hard for the community to contribute high quality code. For example, it would be necessary to remove all strong name configurations ("VisibleTo" etc.) and recompile the assemblies just to run some of the unit tests ("MySql.EntityFramework6.Basic.Tests" for example), which is a pain in the ass, and therefore potentially harmful when unit tests and thus code quality are depending on it. It is also a bad idea, if you want to roll out your own version of the libraries to quickly fix a bug, because it could force you to reconfigure and recompile every dependency. How to repeat: Fetch any of the later commits, make sure the private key "ConnectorNet.snk" is missing (if not delete/rename it) and try to run some unit tests that reference other components ("MySql.EntityFramework6.Basic.Tests" for example). Suggested fix: There is a long and thorough discussion about this subject in this thread (though for connector-net, the main issue are the tests): https://github.com/Microsoft/XamlBehaviors/pull/29#issuecomment-162572491 To summarize as much as possible, it quotes this Microsoft article: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/strong-named-assemblies From the article: "Do not rely on strong names for security. They provide a unique identity only." "If you are an open-source developer and you want the identity benefits of a strong-named assembly, consider checking in the private key associated with an assembly into your source control system." So I suggest to either not sign the assemblies at all, or at least to add the private key to the repository.