Turn off full signing on non-Windows platforms #566
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
omajid
requested review from
MichaelSimons,
crummel,
mthalman and
oleksandr-didyk
as code owners
crummel
reviewed
Mar 8, 2023
| <KeyFileDir>$(RepoRoot)src/referencePackages/snk/</KeyFileDir> | ||
| <SignAssembly>true</SignAssembly> | ||
| <PublicSign>true</PublicSign> | ||
| <FullAssemblySigningSupported Condition="('$(FullAssemblySigningSupported) == '') and ('$(OS)' != 'Windows_NT')">false</FullAssemblySigningSupported> |
Contributor
There was a problem hiding this comment.
Suggested change
| <FullAssemblySigningSupported Condition="('$(FullAssemblySigningSupported) == '') and ('$(OS)' != 'Windows_NT')">false</FullAssemblySigningSupported> | |
| <FullAssemblySigningSupported Condition="('$(FullAssemblySigningSupported)' == '') and ('$(OS)' != 'Windows_NT')">false</FullAssemblySigningSupported> |
Member
Author
There was a problem hiding this comment.
Thanks! You were too fast with the review :)
Full Signing doesn't work on some platforms (eg RHEL 9, which disables RSA+SHA1 which Full Signing needs). Full Signing is also really on required for .NET Framework support. It should not be needed on modern .NET (5 and later). More details at dotnet/runtime#65874
omajid
force-pushed
the
disable-full-signing-nix
branch
from
8ccc80c to
f603646
Compare
MichaelSimons
approved these changes
Mar 9, 2023
omajid
added a commit
to omajid/dotnet-installer
that referenced
this pull request
Mar 20, 2023
Full Signing requires RSA+SHA1 which is disabled in some environments (eg, RHEL 9, CentOS Stream 9). Expose a top-level flag to allow that to be disabled easily by users. The actual implementation of that flag is not here; it's in arcade (see dotnet/arcade#12749). Some repos have some nice-to-have fixes (eg, dotnet/source-build-reference-packages#566), but it's mostly optional. The bootstrap arcade SDK being used to build this needs needs to contain the changes for us to be able to build SBRP and then arcade and then all the other repos that will use arcade. For more context around RSA+SHA1 and the alternative (using public signing), see: - dotnet/runtime#65874 - dotnet/source-build#3202 - dotnet/arcade#12515
omajid
added a commit
to omajid/dotnet-installer
that referenced
this pull request
Mar 21, 2023
Full Signing requires RSA+SHA1 which is disabled in some environments (eg, RHEL 9, CentOS Stream 9). Default to turning it off. Expose a top-level property to allow Full Signing to be re-enabled by users. The actual implementation of that flag is not here; it's in arcade (see dotnet/arcade#12749). Some repos have some nice-to-have fixes (eg, dotnet/source-build-reference-packages#566), but it's mostly optional. The bootstrap arcade SDK being used to build this needs needs to contain the changes for us to be able to build SBRP and arcade; then all the other repos that will use the just-built arcade. For more context around RSA+SHA1 and the alternative (using public signing), see: - dotnet/runtime#65874 - dotnet/source-build#3202 - dotnet/arcade#12515
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Full Signing doesn't work on some platforms (eg RHEL 9, which disables RSA+SHA1 which Full Signing needs). Full Signing is also really on required for .NET Framework support. It should not be needed on modern .NET (5 and later).
More details at dotnet/runtime#65874