Hi Ulrich,
Thank you for the quick turnaround on the secure-zero fix in 2.3.3 — much appreciated.
I noticed a few supply-chain hygiene gaps that I wanted to flag. None of these are vulnerabilities, and I found no malicious payload — this is about making the packages easier for downstream consumers to verify.
- Unsigned artifacts
The shipped sqlite3mc.dll (win-x64), SQLite3MC.PCLRaw.provider.dll, and SQLitePCLRaw.batteries_v2.dll are all Authenticode NotSigned. For a crypto-focused library, code signing would meaningfully improve tamper detectability for consumers who verify package contents after install.
- Floating branch reference for native binaries
The GitHub Actions packaging workflows (publish.yml, dotnet.yml) check out utelle/SQLite3MultipleCiphers-cb at ref sqlite3mc — a branch name rather than a pinned commit SHA. The lib .csproj then packs binaries straight from ..\cb\bld\bin. If the sqlite3mc branch were compromised or force-pushed, a subsequent NuGet publish would silently pick up altered binaries.
Pinning to a specific commit SHA (or a signed tag) in the checkout step would close this gap.
- Reproducibility / hash manifest
Publishing SHA256 hashes of the native artifacts alongside each NuGet release (e.g. in the GitHub release notes) would let consumers independently verify that the DLLs in their local NuGet cache match what was packaged. This is low effort and helps even without full reproducible builds.
Happy to discuss any of these further. Thanks for maintaining this package family.
Hi Ulrich,
Thank you for the quick turnaround on the secure-zero fix in 2.3.3 — much appreciated.
I noticed a few supply-chain hygiene gaps that I wanted to flag. None of these are vulnerabilities, and I found no malicious payload — this is about making the packages easier for downstream consumers to verify.
The shipped sqlite3mc.dll (win-x64), SQLite3MC.PCLRaw.provider.dll, and SQLitePCLRaw.batteries_v2.dll are all Authenticode NotSigned. For a crypto-focused library, code signing would meaningfully improve tamper detectability for consumers who verify package contents after install.
The GitHub Actions packaging workflows (publish.yml, dotnet.yml) check out utelle/SQLite3MultipleCiphers-cb at ref sqlite3mc — a branch name rather than a pinned commit SHA. The lib .csproj then packs binaries straight from ..\cb\bld\bin. If the sqlite3mc branch were compromised or force-pushed, a subsequent NuGet publish would silently pick up altered binaries.
Pinning to a specific commit SHA (or a signed tag) in the checkout step would close this gap.
Publishing SHA256 hashes of the native artifacts alongside each NuGet release (e.g. in the GitHub release notes) would let consumers independently verify that the DLLs in their local NuGet cache match what was packaged. This is low effort and helps even without full reproducible builds.
Happy to discuss any of these further. Thanks for maintaining this package family.