Settings and activity
7 results found
-
4 votes
Jesse Houwing shared this idea ·
-
1 vote
Jesse Houwing shared this idea ·
-
1 vote
Jesse Houwing shared this idea ·
-
3 votes
Jesse Houwing shared this idea ·
-
1 vote
Jesse Houwing shared this idea ·
-
1 vote
Jesse Houwing shared this idea ·
-
19 votes
An error occurred while saving the comment Jesse Houwing supported this idea ·
We'd love this feature.
Using System.IO.Packaging would be one of the ways to sign the packages. Also, once the NuGet package signing features are finalized, it would be nice when these would be supported:
* https://github.com/NuGet/Home/issues/1882
* http://blog.nuget.org/20150203/package-signing.html
In our situation where we consume packages provided by an external source (Nuget feed), we'd like to verify that any package sources from these feeds is actually also signed by a trusted party before we install it.
In the banking environment I'm currently working another common way to validate packages is through PGP/SSHkey signing of packages, similar to how a number of Unix package managers handle package signatures:
* https://www.davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/
* https://github.com/node-forward/discussions/issues/29
These solutions are not ideal in a public repo setting, but on private repo's with limited sets of keys, it works really well.