Code signing of NGettext.dll

Question

Code signing of NGettext.dll

scancircle opened this issue 7 years ago · 6 comments

I use NGettext with embedded .mo files (instead of having satellite assemblies for all the languages). But I see the NGettext.dll is required and added to the output folder. Unfortunately it does not have a digital signature, which is required for online publishing (ClickOnce). I could sign it using my own code signing certificate but cannot find the right event (e.g. before/after compile/build/publish) or location (e.g. obj/bin/publish). Ultimately, NGettext.dll.deploy needs to be signed just before it is published. Do you have any tips? I am developing in VB.NET (Visual Studio 2017).

Answer 1 · 2018-03-05T19:26:12.000Z

Strange, the dll should be signed. Are you using the NuGet version of NGettext?

Answer 2 · 2018-03-05T19:34:59.000Z

Yes I am. When I check the properties of the NGettext.dll.deploy and all NGettext.dll files under packages\NGettext.0.6.3\lib, there is no "Digital Signature" tab.

Answer 3 · 2018-03-05T20:30:28.000Z

Oh, I get it. I thought you were talking about public key token signing for GAC.
No, the NGettext DLLs are not digitally signed. I don't even have a certificate for that :D
And I doubt you'll find any library with digital signature on NuGet either.

I didn't work with ClickOnce before, but I'd suggest to embed NGettext code into your assembly. You can do that with ILMerge for example.

Answer 4 · 2018-03-05T20:56:45.000Z

Thanks for the quick responses. I do use ILMerge for non-MS browsers, but for MSIE/Edge I use the ClickOnce functionality, which publishes the exe and dlls (with a .deploy extension) for online usage. I think I will publish it to a local folder first, then also sign the NGettext.dll.deploy in that folder with my own code signing certificate and manually upload that folder to my website.

Answer 5 · 2018-03-06T16:50:04.000Z

I decided not to sign the NGettext.dll itself with my own code signing certificate (because it is not my own code and others might also use my signed version) but to merge it with my .exe and sign the resulting .exe. Unfortunately, I face the following problems when performing the merge+sign at various moments:

AfterCompile: NGettext.dll has not yet been copied to the bin$(ConfigurationName) folder;
AfterBuild/BeforePublish: the .exe has been copied to the bin$(ConfigurationName) AND to the bin$(ConfigurationName)\app.publish folder (a slightly different version, 72 bytes bigger, is used for publishing) so I would need to do it twice;
AfterPublish: the files have been placed in a folder like publish\Application Files\xxx_a_b_c_d (where xxx is the assembly name and a/b/c/d the publish version), which is difficult to reference automatically.

The cleanest solution would be if you could copy the NGettext.dll on BeforeBuild/BeforeCompile. I could also pick the NGettext.dll from one of the packages\NGettext.0.6.3\lib subfolders, but I need the net20 and the net40 version (the .deploy version supports boths .NET 2.0 and 4.0, but the separate .exe files support either 2.0 or 4.0). On the other hand, all net## versions seem to be identical so if I only need .NET 2.0 and 4.0, can I then pick the NGettext.dll from the "hardcoded" path e.g. packages\NGettext.0.6.3\lib\net20?

Answer 6 · 2018-03-19T10:44:57.000Z

Correction: the net## versions are NOT identical. So I included the net20 version for the .NET Framework 2.0 release and the net40 version for the 4.0 release. The merged+signed 2.0 release worked fine, but the 4.0 release just crashed apparently because of a missing .exe.config.deploy file (which I don't even need). Since the config file cannot be merged into the single .exe and I only need simple 1-on-1 translations (no plural, parameters, etc.), I made my own implementation based on embedded .txt files and a name/value collection. Thanks for the support anyway.