Should the fo-dicom dlls in the nuget be digitally signed by the project

[Tony-Jay]

Hi,

We distribute (externally) software which is built on Fo-dicom

some of our customers have very elaborate security software which complains when software is not digitally signed

We also distribute some nugets within the company that depend on f-dicom

When I look at the dlls in the nuget (5.0.3) , I do not see a digital signature

Does anyone know what the general philosophy of signing is in OSS as

1. I could sign them with our own signing certificate , does that make "sense" from a trust point of view . I trust the signed nuget feed, so I am just then signing the dll to show trust ?
2. For the fo-dicom project a signing cert cost money, so without someone covering the costs how would this work.

(I note that log4net is not signed but newtonsoft is )

There are other workarounds like building application as single exes and just signing that, but that is not available in legacy .net framework projects

[mrbean-bremen]

I'm in no way an expert, but as far as I have seen, some open source projects have been signed if they are developed by a company that already has a certificate and just contributed that.
From my point of view, if you distribute open source software, you are responsible for making sure it is trusted, which means that signing it with your own certificate would be ok, if you have ensured the consistence of the source. I have seen this done in commercial software (though of course always for a specific version that was tested.)