Code signing should not use third party dependencies

[svrooij]

Is your feature request related to a problem? Please describe.

If we want to take security serious (and thus doing code signing), it should not depend upon third party dependencies.

Describe the solution you'd like

I would like these dependencies to be integrated into this project or removed.

Describe alternatives you've considered

Not doing code signing

Additional context

My pr for the NuGetKeyVaultSignTool, is open for 2 years. Because this part of the code uses a preview version of dotnet 6.0 and I was no longer accepting that.

If these third party dependencies are not vetted and managed the same way as dotnet sign the entire command should be treated as untrusted in my honest opinion.

[aafvstam]

I never understood why code signing wasn't included in the box and required expensive (out of reach for most startups) third party solutions. It took ages for SSL certificates to become available for free after the successful Let's Encrypt initiative. It is now available and easy to apply through integrated services. It would be a good time to do the same with code signing certificates, make it free and easy to implement. Microsoft always puts security on one so this would be a good opportunity to back this by developing an excellent integrated solution that is easy to use and implement by everyone.

[dlemstra]

It looks like the README needs to be updated. There are third party dependencies but NuGet signing is done by implementing the NuGet.Packaging.Signing.ISignatureProvider interface and no longer uses NuGetKeyVaultSignTool. The code of OpenOpcSignTool and AzureSignTool are both already integrated and modified in this project.

[dtivel]

The README does need to be updated. However, Sign CLI still has a dependency on AzureSign.Core. See https://github.com/dotnet/sign/blob/main/src/Sign.Core/DataFormatSigners/AzureSignToolSigner.cs