RE: Signing the log4net.dll with a digital signature
You're probably mixing signing the dll for GAC (strong name), and Authenticode as offered by Verisign and others which Michael asks for. You're absolutely correct. I didn't think that one through. I was thinking of the SN signing for the GAC, and not of the Authenticode requirement. I concur, just build/sign your own version. -Walden -- Walden H Leverich III Tech Software BEC - IRBManager (516) 627-3800 x3051 wald...@techsoftinc.com mailto:wald...@techsoftinc.com http://www.TechSoftInc.com http://www.techsoftinc.com/ http://www.IRBManager.com http://www.irbmanager.com/ Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) From: Dag Christensen [mailto:dag.christen...@vismaretail.no] Sent: Wednesday, October 14, 2009 3:11 AM To: Log4NET User Subject: RE: Signing the log4net.dll with a digital signature You're probably mixing signing the dll for GAC (strong name), and Authenticode as offered by Verisign and others which Michael asks for. Log4net is distributed as a strong name assembly signed by a key held by Apache. If you recompile log4net from source and want it strong named, you'll have to sign it with your own key. Keeping the original Apache key private allows an end-user to verify the binary has been built from original apache source (pgp is just an extra insurance). Authenticode works on existing binaries (signtool.exe), and the process is described here: https://knowledge.verisign.com/support/code-signing-support/index?page=c ontentid=AR190 Since the Apache license allows you to change and distribute your own versions of log4net (with some conditions, see 4. Redistribution at http://logging.apache.org/log4net/license.html), you should be free to digitally sign the binaries too. Regards, Dag Fra: Michael Hablich [mailto:m.habl...@tricentis.com] Sendt: 14. oktober 2009 08:54 Til: Log4NET User Emne: AW: Signing the log4net.dll with a digital signature Unfortunatly not. Maybe you mean the PGP signature but I need a digital signature for Windows DLLs. For instance Verisign issues such signatures. I doubt the Apache foundation has such signatures because they cost money. If I interpret the Apache license correctly it is okay to sign the DLL with my own signature but I am not sure. Von: Walden H. Leverich [mailto:wald...@techsoftinc.com] Gesendet: Dienstag, 13. Oktober 2009 18:22 An: Log4NET User Betreff: RE: Signing the log4net.dll with a digital signature But isn't there a signed version of l4n that you can download and use? Why sign your own? -- Walden H Leverich III Tech Software BEC - IRBManager (516) 627-3800 x3051 wald...@techsoftinc.com http://www.TechSoftInc.com http://www.techsoftinc.com/ http://www.IRBManager.com http://www.irbmanager.com/ Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) From: Michael Hablich [mailto:m.habl...@tricentis.com] Sent: Monday, October 12, 2009 7:58 AM To: Log4NET User Subject: AW: Signing the log4net.dll with a digital signature One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer. Von: Karim Bourouba [mailto:kar...@hotmail.com] Gesendet: Montag, 12. Oktober 2009 13:51 An: log4net-user@logging.apache.org Betreff: RE: Signing the log4net.dll with a digital signature I would say yes, it is. But I am not sure as to why you would want to do this? From: m.habl...@tricentis.com To: log4net-user@logging.apache.org Date: Mon, 12 Oct 2009 13:06:34 +0200 Subject: Signing the log4net.dll with a digital signature Hello, is it allowed to sign the log4net.dll with my own digital signature? Thanks in advance, Michael View your other email accounts from your Hotmail inbox. Add them now. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/
RE: Signing the log4net.dll with a digital signature
You're probably mixing signing the dll for GAC (strong name), and Authenticode as offered by Verisign and others which Michael asks for. Log4net is distributed as a strong name assembly signed by a key held by Apache. If you recompile log4net from source and want it strong named, you'll have to sign it with your own key. Keeping the original Apache key private allows an end-user to verify the binary has been built from original apache source (pgp is just an extra insurance). Authenticode works on existing binaries (signtool.exe), and the process is described here: https://knowledge.verisign.com/support/code-signing-support/index?page=c ontentid=AR190 Since the Apache license allows you to change and distribute your own versions of log4net (with some conditions, see 4. Redistribution at http://logging.apache.org/log4net/license.html), you should be free to digitally sign the binaries too. Regards, Dag Fra: Michael Hablich [mailto:m.habl...@tricentis.com] Sendt: 14. oktober 2009 08:54 Til: Log4NET User Emne: AW: Signing the log4net.dll with a digital signature Unfortunatly not. Maybe you mean the PGP signature but I need a digital signature for Windows DLLs. For instance Verisign issues such signatures. I doubt the Apache foundation has such signatures because they cost money. If I interpret the Apache license correctly it is okay to sign the DLL with my own signature but I am not sure. Von: Walden H. Leverich [mailto:wald...@techsoftinc.com] Gesendet: Dienstag, 13. Oktober 2009 18:22 An: Log4NET User Betreff: RE: Signing the log4net.dll with a digital signature But isn't there a signed version of l4n that you can download and use? Why sign your own? -- Walden H Leverich III Tech Software BEC - IRBManager (516) 627-3800 x3051 wald...@techsoftinc.com http://www.TechSoftInc.com http://www.techsoftinc.com/ http://www.IRBManager.com http://www.irbmanager.com/ Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) From: Michael Hablich [mailto:m.habl...@tricentis.com] Sent: Monday, October 12, 2009 7:58 AM To: Log4NET User Subject: AW: Signing the log4net.dll with a digital signature One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer. Von: Karim Bourouba [mailto:kar...@hotmail.com] Gesendet: Montag, 12. Oktober 2009 13:51 An: log4net-user@logging.apache.org Betreff: RE: Signing the log4net.dll with a digital signature I would say yes, it is. But I am not sure as to why you would want to do this? From: m.habl...@tricentis.com To: log4net-user@logging.apache.org Date: Mon, 12 Oct 2009 13:06:34 +0200 Subject: Signing the log4net.dll with a digital signature Hello, is it allowed to sign the log4net.dll with my own digital signature? Thanks in advance, Michael View your other email accounts from your Hotmail inbox. Add them now. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/
RE: Signing the log4net.dll with a digital signature
But isn't there a signed version of l4n that you can download and use? Why sign your own? -- Walden H Leverich III Tech Software BEC - IRBManager (516) 627-3800 x3051 wald...@techsoftinc.com mailto:wald...@techsoftinc.com http://www.TechSoftInc.com http://www.techsoftinc.com/ http://www.IRBManager.com http://www.irbmanager.com/ Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) From: Michael Hablich [mailto:m.habl...@tricentis.com] Sent: Monday, October 12, 2009 7:58 AM To: Log4NET User Subject: AW: Signing the log4net.dll with a digital signature One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer. Von: Karim Bourouba [mailto:kar...@hotmail.com] Gesendet: Montag, 12. Oktober 2009 13:51 An: log4net-user@logging.apache.org Betreff: RE: Signing the log4net.dll with a digital signature I would say yes, it is. But I am not sure as to why you would want to do this? From: m.habl...@tricentis.com To: log4net-user@logging.apache.org Date: Mon, 12 Oct 2009 13:06:34 +0200 Subject: Signing the log4net.dll with a digital signature Hello, is it allowed to sign the log4net.dll with my own digital signature? Thanks in advance, Michael View your other email accounts from your Hotmail inbox. Add them now. http://clk.atdmt.com/UKM/go/167688463/direct/01/
RE: Signing the log4net.dll with a digital signature
I would say yes, it is. But I am not sure as to why you would want to do this? From: m.habl...@tricentis.com To: log4net-user@logging.apache.org Date: Mon, 12 Oct 2009 13:06:34 +0200 Subject: Signing the log4net.dll with a digital signature Hello, is it allowed to sign the log4net.dll with my own digital signature? Thanks in advance, Michael _ View your other email accounts from your Hotmail inbox. Add them now. http://clk.atdmt.com/UKM/go/167688463/direct/01/