-
Notifications
You must be signed in to change notification settings - Fork 39
Only sign exe files #90
Comments
I have been thinking about this issue too. I had done some work a while ago to do parallel signing (signtool.exe seems to reliably sign up to 10 binaries at a time) and this sped up signing overall by ~9x. Would this solution be acceptable/fast enough for you? I can't seem to find any concrete answers as to if/when dll's need to be signed, so I am a little hesitant to remove dll signing without more research and testing. |
It's better than currently. I've got 120 DLLs, 1 exe. So even the speed of signing the equivalent of approx 15 DLLs would still be a bit slow. Really all I need is an option just to sign exes only, I can understand your apprehension if people assume that's the right thing to do. I'm signing it basically to ensure that when the user starts the software on the machine that it can check the signing certificate and present the user that it is a properly signed executable. So DLLs aren't a worry for me. The other thought is that of those 121 DLLs only 3 or 4 ever change in a normal update cycle. Is there a way you could store the signed versions and reuse them if there are no changes? Thanks! |
As one data point, we generally would prefer to have DLLs signed (although it does add considerable overhead to the build process) as it's one security measure we can take to ensure tampering has not occurred in distributions. Historically we've checked signatures on dll at load time (manually) but I don't think it's required by any specification on windows. Caching post-signed DLLs would be pretty cool, I could definitely get behind that. |
Signing parallelism and exe-only signing is in 5f9f594. I will ship this as a v3 release soon, but will not be porting these changes to v2. |
Thanks so much! |
I am upgrading from squirrel as I need .net core support. So far this seems to work perfectly.
I have only one problem, which was also a problem with squirrel. I only want to sign the exes with signtool, it's simply too slow to go and sign all the DLLs every update.
I ended up making a source code change in squirrel to only look at exes. With this version there are more regular updates, so I don't want to have to change the source code for every update.
Is there a way that I can only sign EXE files, or could one be added please?
Thanks!
The text was updated successfully, but these errors were encountered: