Assembly signing

[derekantrican]

In the wake of #5937 and #5938, a lot of users of Avalonia-built applications were seeing Windows Defender block those applications. Windows Defender claimed to have found a Trojan and as a "Severe" classification, deleted the assemblies. This resulted in a number of users being unable to launch the application until they somehow re-downloaded that assembly (usually by reinstalling the application).

The real solution is to sign the Avalonia assemblies.

[kekekeks]

We are currently choosing the authenticode certificate provider and investigating how to integrate signing to our build pipeline.

[sn4k3]

Also getting problems on the Avalonia.Themes.Default.dll

[derekantrican]

@sn4k3 see #5937 (comment) that is for the Windows Defender issues

[derekantrican]

@kekekeks is Avalonia possibly using the /p:PublishTrimmed=true flag? dotnet/runtime#33745

[kekekeks]

No, we are not.

[batzen]

You could ask SignPath. They offer an authenticode signing service for OSS projects. Maybe @matkoch from JetBrains can help you on that as they are using Avalionia. He also helped me getting started with SignPath for Snoop.

[matkoch]

Yep, let me know when you're interested.

[kekekeks]

Yes, it would be nice to get SignPath, since we got stuck with Sectigo for some reason.

[beto-rodriguez]

Avalonia assemblies seems to be signed, at least the Avalonia.Desktop assembly is, @kekekeks so this means that signing an assembly where the certificate is not provided by a trusted authority will cause this issue? for any assembly?

[josephnarai]

I have a trusted certificate, but it could be that the pkf I exported from my cer has an issue. All very confusing. Joseph Narai • Zenso

…

________________________________ From: Alberto Rodríguez ***@***.***> Sent: Saturday, December 4, 2021 1:04:37 PM To: AvaloniaUI/Avalonia ***@***.***> Cc: Joseph Narai ***@***.***>; Comment ***@***.***> Subject: Re: [AvaloniaUI/Avalonia] Assembly signing (#5939) @kekekeks<https://github.com/kekekeks> so signing an assembly where the certificate is not provided by a trusted authority will cause this issue? for any assembly? — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#5939 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADMH5IQQD7J3EOLJVI32AQTUPFZLLANCNFSM45CYRRXQ>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[kekekeks]

There is a difference between strong name signing (that uses just a private key which can even be published if needed) and Authenticode signing (that requires a certificate provided by some authority). In case of @josephnarai it seems that provided strong name signing key file is incompatible with Mono.Cecil.

[darinkes]

Hi,

Whats the current status regarding Authenticode Signatures for Avalonia DLLs?
Seems there are a lot of AntiVir/Security Suites out there, which block usage of unsigned DLLs.

Thanks in advance

[rprimora-pricer]

Who/what is Cecil?

By the way, I pondered the idea of faulty environment but this error is also thrown in Azure Pipelines where I use msbuild.

[maxkatz6]

Cecil is a dependency that processes assemblies during XAML compilation.
Btw, please open a new issue with minimal repro, as yours and josephnarai issue isn't related to authenticode signing discussed in this topic.

[ThomasNieto]

@kekekeks is there any update on getting the assemblies authenticode signed? If no cert has been provisioned yet I'd recommend applying for a SignPath OSS cert.

[henrygab]

Assemblies still lack authenticode signatures ... more than three and a half years later.
@kekekeks ... Can you help folks understand what might be preventing this?