什么是管理一个开源项目强名称密钥对推荐的方式？ [英] What is the recommended way to manage a strong-name key pair for an open-source project?

问题描述

我管理一个开源项目，并愿意签署了在该项目的二进制包发布的二进制文件。我使用Visual Studio 的csproj 和 SLN 文件管理和构建我的项目，同时也将这些文件分发为一体的一部分项目的源代码包。

我怎么能签我构建的生产二进制文件，而不必分发 SNK 键-pair文件？如果我使用Visual Studio签署组件，每个项目文件现在需要，以建立密钥对的副本。我不舒服分发密钥对，即使是密码保护

修改：

另一个需要注意的是，一些组件中通过 InternalsVisibleToAttribute 项目拨款的朋友访问，并通过项目建设参考的朋友。因此，这样的组件需要使用强名称指的是签名的程序集时。然而，如果密钥对未然后分布如何可以最终用户建立源和保持该项目的关系？如果临时密钥对文件时，不会对签名的程序集的变化，打破了 InternalsVisibleToAttribute 引用？

的公钥标记< DIV CLASS =h2_lin>解决方案

的锐齿的解决方案，如果在代码中唯一集引用是那些在项目文件编码的效果很好。如果你的项目通过 InternalsVisibleToAttribute 或需要一个强大的名字符串等手段指的是其他组件，那么它是不是可行的一个临时密钥建立资料库来源。这样做将改变存在于强名称字符串公钥引用和破解密码。

这是我的应用程序的情况下，所以我需要采取不同的方法。

我基本上创建的副本 SLN 和的csproj 文件，并修改的csproj 文件如下：

• 转化为链接的所有文件引用，指向原始资料。


• 复制和修改每个AssemblyInfo.cs文件包含的使用 InternalsVisibleToAttribute 具有较强的名称。


• 修改每个的csproj 文件，以便 SNK 文件引用是相对路径（消除了需要复制 SNK 文件到每个项目）

我先手动做这一切，但后来意识到，这可以在一个简单的方式实现自动化。第一和第三步骤可以使用XSLT，其中作为第二步骤可以用一个正则表达式搜索来实现来实现/替换功能。

因为我现在需要保持两个解决方案，它是有道理的自动执行此任务，以避免将来的麻烦。

在资源库中不建立与强的名字，这是很好的，因为我不想强加给最终用户的任何版本的限制或程序组件的源代码。

I manage an open-source project and would like to sign the binaries that are released in the project's binary package. I use Visual Studio csproj and sln files to manage and build my project, and also distribute these files as part of the project's source packages.

How can I sign the produced binaries of my build and not have to distribute the snk key-pair file? If I use Visual Studio to sign the assemblies, each project file now needs a copy of the key-pair in order to build. I'm not comfortable with distributing the key-pair, even if it is password protected.

Edit:

Another caveat is that some assemblies in the project grant friend access via InternalsVisibleToAttribute, and build those friends via a project reference. Consequently, such assemblies need to use a strong name when referring to a signed assembly. However, if the key-pair is not distributed then how can end-users build the sources and maintain the project relationships? If a temporary key-pair file is used, won't the public key token of the signed assemblies change, breaking the InternalsVisibleToAttribute references?

解决方案

Sharptooth's solution works well if the only assembly references in the code are those encoded in the project files. If your project refers to other assemblies via InternalsVisibleToAttribute or other means where a strong-name string is required, then it is not feasible to build the repository-sources with a temporary key. Doing so will change the public key references that are present in the strong-name strings and break the code.

This is the case in my application so I needed to adopt a different approach.

I basically created a copy of the sln and csproj files in a separate folder heirarchy and modified the csproj files as follows.

• Transformed all file references to links, pointing to the original sources.
• Copied and modified each AssemblyInfo.cs file to contain uses of InternalsVisibleToAttribute with a strong name.
• Modified each csproj file so that the snk file reference is a relative path (removes the need to copy the snk file to each project)

I first did all of this manually, but then realized that this can be automated in a straightforward manner. The first and third steps may be implemented with an XSLT, where as the second step can be implemented with a regex search/replace function.

Since I need to maintain two solutions now, it makes sense to automate this task to avoid future headaches.

The sources in the repository do not build assemblies with strong-names, which is fine, since I wouldn't want to impose any build restrictions or processes on end-users.

这篇关于什么是管理一个开源项目强名称密钥对推荐的方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！