Our clients require all assemblies in our distributed output to be signed digitally. Many 3rd party, open source assemblies are not digitally signed. For example Amazon SDK has no digital signature. We sign them with our digital signature in the output (<- note this).
The motivation here is to cut down on the build process, which generates many different outputs and we sign same assemblies over and over again. Calls to the timestamp server sometimes is slow and these signatures represent 25% of the build time. But if all assemblies are pre-signed in their holding package folders, the only items will need to be signed are the assemblies we produce.
But I am wondering if this has some potential effects with potential checksums, dynamic loading, licensing, DLL size counting; may be potential 3rd party assembly-to-assembly verification,. Wondering if this is safe to just sign all assemblies in the C:\Users\buildUser\.nuget\packages on the build server?
Again, we already sign them but packages contain bunch of other DLLs that don't get pulled into output of dotnet publish and I am wondering if there could be negative effects signing all of these. Thanks