Description
The --publicsign+ (Or PublicSign project property) option used for public-signing projects does not work when the supplied strong name key is a full public/private key pair.
Steps to reproduce.
-
Generate a strong name key pair (
sn -k mykeypair.snk) -
Create a project that looks like this
<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <OutputType>Exe</OutputType> <TargetFramework>net8.0</TargetFramework> <RootNamespace>fsharp_scratch</RootNamespace> <SignAssembly>True</SignAssembly> <AssemblyOriginatorKeyFile>mykeypair.snk</AssemblyOriginatorKeyFile> <PublicSign>true</PublicSign> </PropertyGroup> <ItemGroup> <Compile Include="Program.fs" /> </ItemGroup> </Project>
Attempt to build this project will result in
A problem occurred writing the binary 'obj\Debug\net8.0\refint\fsharp-scratch.dll': A call to StrongNameSignatureSize failed (Invalid Public Key blob)
Note that public does work correctly if you supply it with just the public key.
- Extract the public key using
sn -p mypairpair.snk publickey.snk - Change the
AssemblyOriginatorKeyFiletopublickey.snk - Observe that that public signing works.
In theory public signing, even with the full public/private key pair should still work because the public key is a a subset of the private key.
The C# / Roslyn toolset is able to use the full private key when used with publicsign
As for the use case of why this is useful, this was reported by Red Hat / @omajid. They are trying to utilize PublicSign in their build process because full-signing does not work. Full signing does not work there because strong naming requires using the RSA+SHA1 signature algorithm, and that signature algorithm does not work on their systems because it is deprecated.
More background on the issue is available at dotnet/runtime#105486
Metadata
Metadata
Assignees
Labels
Type
Projects
Status