开源库是否应该进行数字签名

发布于 2024-11-02 06:07:07 字数 302 浏览 3 评论 0原文

始终对可执行文件(exe、dll、ocx 等)进行签名是一个好习惯。另一方面,对于开源项目,它可能会考虑忽略所有其他开发人员对该项目的贡献。

这对我来说是一个相当道德的困境,我想从有过类似情况的人或为开源项目做出贡献的人那里听到更多对此的意见。

我想指出的是,这个问题是针对一个使用 .NET 4 用 C# 编写的开源项目,因此当用户单击可执行文件时,他或她将收到一条警告,指出该文件来自不受信任的发布者,如果它没有经过数字签名。

顺便说一句,这些程序集都已经具有强命名(签名),但尚未进行数字签名(即使用 Verisign 代码签名证书)。

It is a good practice to always sign executable files (exe, dll, ocx, etc.). On the other hand, with an open source project it may considered disregarding the contributions to the project from all other developers.

This is quite an ethical dilemma for me and I would like to hear more opinions on this from either people who have been in a similar situation or people who contributed to an open source project.

I would like to note that this question is for an open-source project that was written in C# using .NET 4 so when user clicks the executable, he or she will be prompted a warning stating that the file is from an untrusted publisher if it is not digitally signed.

By the way, the assemblies all have strong-naming (signature) already, but they are not digitally signed yet (i.e. using a Verisign Code signing certificate).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

七禾 2024-11-09 06:07:07

.Net 是一个不同的野兽,因为许多功能要求(尤其是库)要求文件使用强名称密钥进行签名,但这些可以自签名,而不会受到最终产品的抱怨(它使用程序证书而不是库来弹出)您在原始问题中提到的消息框)。

然而,在一般情况下,我认为团体使用私钥签署官方发行版并没有什么问题。如果您对源代码执行某些操作并从技术上重新编译,“该文件来自来自不受信任的发布者”,因为我可能信任 Canonical,但我不信任您。只要可执行文件不是由特定发布者签名的,就不会阻止它按照预期的方式使用(GPL 中的 tivoization 条款),我认为没有理由不对您的可执行文件进行签名。

.Net is a diffrent beast as many features require (especially libraries) require the file to be signed with a strong name key, but those can be self signed with no complaint from the final product (it uses the programs cert not the libraries to pop up that message box you refer to in your original question).

However in the general case I see nothing wrong with a group signing the official distro with a private key. If you do something to the source and recompile technically "the file is from an untrusted publisher" as I may trust Canonical but I do not trust you. As long as the executable being not being signed from a specific publisher does not stop it from being used in the manner it was intended (the tivoization clause in the GPL) I see no reason NOT to sign your executables.

夏日浅笑〃 2024-11-09 06:07:07

说这是“相当道德的困境”可能有些言过其实。您肯定想要代码签名您的可执行文件,而且我真的不认为你签字有什么问题。例如,TortoiseSVN 的签名者是“Stefan Kueng,开源开发人员”。

也就是说,为您的项目形成某种法律实体,然后以项目实体的名义获取代码签名证书可能是个好主意。这样,您的项目名称将显示为发布者,而不是您亲自签署可执行文件(从而“获得所有功劳”)。

如果您在美国,我建议您组建一个 LLC 或可能成立一个 501(c)(3) 组织,即免征所得税,并允许个人向该项目进行免税捐赠。 (许多开源项目组织为 501( c)(3) 实体,包括 WordPressjQuery。)我发现您在土耳其,因此您必须研究当地对组建某种法人实体的要求;一旦形成,您将能够以您项目实体的名义而不是您自己的名义从 CA 获得证书。

Saying that this is "quite an ethical dilemma" is probably blowing it out of proportion. You definitely want to code sign your executables, and I don't really see the problem with you signing it. For example, TortoiseSVN is signed by "Stefan Kueng, Open Source Developer".

That said, it is probably a good idea to form some kind of legal entity for your project, and then get the code-signing certificate in the name of your project's entity. That way, rather than you personally signing the executable (and thus "taking all the credit"), your project's name shows up as the publisher.

If you were in the US, I would suggest either forming a LLC or possibly a 501(c)(3) organization, which is exempt from income tax and allows individuals to make tax-deductable donations to the project. (Many open source projects organize as 501(c)(3) entities, including WordPress and jQuery.) I see you're in Turkey, so you'll have to research your local requirements for forming some kind of legal entity; once formed, you'll be able to get a certificate from a CA in the name of your project's entity rather than your own.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文