6

On Windows, there is Authenticode to sign .NET Core / .NET 5 assemblies (please note that I am not referring to Strong Name Signing which is different). This prevents tampering and guarantees authenticity.

I am new to .NET Core on Linux. What is the equivalent of Authenticode signing on Linux for .NET Core? Since Authenticode signing is part of the Windows SDK (and not .NET Core) it is not available on Linux. Ideally there is some widely used convention for this.

Have looked around extensively on SO and online and have not been able to find anything useful or definitive. Any guidance would be greatly appreciated.

A X
  • 905
  • 2
  • 13
  • 31

1 Answers1

2

Executable code signing on Linux is typically done at the package repo level, not at the individual executable level.

One option, therefore, is to try getting your software into one of the major package repos for your chosen platform: APT, DNF, Homebrew…

For cases where that isn’t acceptable, you can set up your own repo and try to convince your users to install the repo, which in turn signs the packages delivered through it.

Warren Young
  • 40,875
  • 8
  • 85
  • 101
  • 3
    What about for a corporate environment where you don't want to make the binaries public, what would the recommended approach be? – A X Jun 14 '21 at 00:57
  • 2
    Also - would this repo approach allow verification of binary tampering "on the box" or only at install time? Thanks again for your help – A X Jun 14 '21 at 00:58
  • 1
    Re: corporate, nothing stops you from setting up a local repo server. It doesn’t have to be public. Re: post-install verification, many package repo systems do have such features. Be specific. – Warren Young Jun 14 '21 at 01:02