risks of signing application assemblies

We consider to put one of our assemblies in the GAC for the purpose of versioning. This means this assembly must be signed and each other assembly it uses (e.g. 3rd party) must also be signed.开发者_Go百科 Only the 3rd party vendor can do the signature. Is there a practical risk that some vendors will not supply a signed version and we are limitting ourselves?

The risk is not applicable.

You can only put an assembly in the GAC if it depends only on other GAC assemblies.
So your 3rd party libs should already be in the GAC.

If they are not, you can fake it (see @Preet Sangha) but then you become the publisher of those libs. And sharing those binaries with other apps will (can) not happen.

You can always sign a third party one with ilmerge.

there's a link on my blog here: http://preetsangha.blogspot.com/2007/10/signing-third-party-assembly.html

Yes there is a risk, but 3rd Party vendors should be signed if they are appropriate for the GAC. You should be able to ask for them to be signed if they are not.

IMO, it is a risk, but not a major one, especially if you have an existing solution that you can verify is all signed.