Explicit support for digitally signed packages and assemblies

Topics: Ecosystem
Nov 10, 2013 at 8:19 PM

One of the biggest challenges on the internet is to be able to verify the authenticity of binaries and scripts downloaded from the internet. For example, when downloading NHibernate from nuget.org, how would I know that it is the officially built version or not. How would I know whether that assembly was compromised? This is a particular tough question when you develop software in highly regulated industries, such as health care, finance or military.

I'd like to propose that
  • nuget explicitly supports digitally signed packages and assemblies.
  • nuget verify digitally signed packages and assemblies for authenticity.
  • nuget explicitly supports filtering based on whether a package is digitally signed. For example, Microsoft packages are signed, while some on nuget.org, isn't.
  • nuget has an option where unsigned packages are not permitted (e.g. only use Microsoft sanctioned packages, not those by untrusted developers).
Currently there is no way to exclude packages that are not digitally signed. Further, there is no process in place to validate the identity of binaries distributed by nuget before accepting them.

This is not an attempt to force everyone to digitally sign their packages, assemblies and scripts, but to provide an ecosystem where those willing can benefit from adoption by regulated industries.

In essence, what's the point of an SLDC if the binaries we download from nuget cannot be verified for authenticity?