Digitally sign DLLs as tampering protection proof

[hamjo]

I'd like to be able to prove Serilog.Expressions.dll hasn't been tampered, but I can't since this file doesn't have a digital signature.

Signing Serilog.Expressions.dll in the the shipped NuGet package would enable us to secure our supply chain.

Our corporate policy requires us to only use digitally signed DLLs. We'll have to stop using Serilog without that feature.

[nblumhardt]

Hi @hamjo, thanks for dropping by!

Just to clarify, do you mean Serilog.Expressions.dll specifically, using code signing, or do you mean the Serilog.Expressions NuGet package?

Also, is there anything specific about Serilog.Expressions.dll that's different from Serilog.dll? (Just curious why you mention it specifically, rather than the core package/sink packages/etc.)

Many thanks,
Nick

[hamjo]

Hi @nblumhardt

Yes I meant Serilog.Expressions.dll specifically. using code signing.
For some internal reason, this dll was the first to be internally flagged as unsigned.
But as this requirement rolls out, I would be opening similar issues in core packages.

[cocowalla]

@hamjo isn't it rather... unusual for OSS projects to supply authenticode-signed binaries? Very curious to find out what other OSS deps you have that ship signed binaries?

I once worked with a bank that had the requirement that all .NET binaries were digitally signed, but we had to build from source and sign ourselves, with a code signing certificate provided by the bank - it was the only way to avoid a supply chain attack, and know for sure that the signed binaries had been built from the expected code.

[nblumhardt]

Hi @hamjo; just checking in - how did this one pan out? Thanks!