Signing the log4net.dll with a digital signature

Hello,

is it allowed to sign the log4net.dll with my own digital signature?

Thanks in advance,

Michael

One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer.

I would say yes, it is. But I am not sure as to why you would want to do this?



 

From: m.hablich@...
To: log4net-user@...
Date: Mon, 12 Oct 2009 13:06:34 +0200
Subject: Signing the log4net.dll with a digital signature

View your other email accounts from your Hotmail inbox. Add them now.

But isn't there a signed version of l4n that you can download and use? Why sign your own?

One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer.

I would say yes, it is. But I am not sure as to why you would want to do this?



 

From: m.hablich@...
To: log4net-user@...
Date: Mon, 12 Oct 2009 13:06:34 +0200
Subject: Signing the log4net.dll with a digital signature

View your other email accounts from your Hotmail inbox. Add them now.

Unfortunatly not. Maybe you mean the PGP signature but I need a digital signature for Windows DLLs. For instance Verisign issues such signatures. I doubt the Apache foundation has such signatures because they cost money.

If I interpret the Apache license correctly it is okay to sign the DLL with my own signature but I am not sure.

But isn't there a signed version of l4n that you can download and use? Why sign your own?

One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer.

I would say yes, it is. But I am not sure as to why you would want to do this?



 

From: m.hablich@...
To: log4net-user@...
Date: Mon, 12 Oct 2009 13:06:34 +0200
Subject: Signing the log4net.dll with a digital signature

View your other email accounts from your Hotmail inbox. Add them now.

You're probably mixing signing the dll for GAC (strong name), and Authenticode as offered by Verisign and others which Michael asks for.

Log4net is distributed as a strong name assembly signed by a key held by Apache. If you recompile log4net from source and want it strong named, you'll have to sign it with your own key. Keeping the original Apache key private allows an end-user to verify the binary has been built from original apache source (pgp is just an extra insurance).

Authenticode works on existing binaries (signtool.exe), and the process is described here: https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR190

Since the Apache license allows you to change and distribute your own versions of log4net (with some conditions, see 4. Redistribution at http://logging.apache.org/log4net/license.html), you should be free to digitally sign the binaries too.

Regards,

Dag

Unfortunatly not. Maybe you mean the PGP signature but I need a digital signature for Windows DLLs. For instance Verisign issues such signatures. I doubt the Apache foundation has such signatures because they cost money.

If I interpret the Apache license correctly it is okay to sign the DLL with my own signature but I am not sure.

But isn't there a signed version of l4n that you can download and use? Why sign your own?

One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer.

I would say yes, it is. But I am not sure as to why you would want to do this?



 

From: m.hablich@...
To: log4net-user@...
Date: Mon, 12 Oct 2009 13:06:34 +0200
Subject: Signing the log4net.dll with a digital signature

View your other email accounts from your Hotmail inbox. Add them now.

Thanks, that was exactly what I wanted to know.

> You're probably mixing signing the dll for GAC (strong name), and Authenticode as offered by Verisign and others which Michael asks for.

You're absolutely correct. I didn't think that one through. I was thinking of the SN signing for the GAC, and not of the Authenticode requirement. I concur, just build/sign your own version.

-Walden

You're probably mixing signing the dll for GAC (strong name), and Authenticode as offered by Verisign and others which Michael asks for.

Log4net is distributed as a strong name assembly signed by a key held by Apache. If you recompile log4net from source and want it strong named, you'll have to sign it with your own key. Keeping the original Apache key private allows an end-user to verify the binary has been built from original apache source (pgp is just an extra insurance).

Authenticode works on existing binaries (signtool.exe), and the process is described here: https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR190

Since the Apache license allows you to change and distribute your own versions of log4net (with some conditions, see 4. Redistribution at http://logging.apache.org/log4net/license.html), you should be free to digitally sign the binaries too.

Regards,

Dag

Unfortunatly not. Maybe you mean the PGP signature but I need a digital signature for Windows DLLs. For instance Verisign issues such signatures. I doubt the Apache foundation has such signatures because they cost money.

If I interpret the Apache license correctly it is okay to sign the DLL with my own signature but I am not sure.

But isn't there a signed version of l4n that you can download and use? Why sign your own?

One prerequisite for Windows certification (for the software) is having all deployed DLLs digitally signed wheter from the original developer or the deployer.

I would say yes, it is. But I am not sure as to why you would want to do this?



 

From: m.hablich@...
To: log4net-user@...
Date: Mon, 12 Oct 2009 13:06:34 +0200
Subject: Signing the log4net.dll with a digital signature

View your other email accounts from your Hotmail inbox. Add them now.

###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/