Friday, December 12, 2014

Reference unsigned NuGet package within a signed assembly

If you want to add a reference to an unsigned NuGet package from a signed assembly you need to take a few steps to make it possible.
In summary, what we need to do is, take the assembly from NuGet we want to reference, merge its dependencies onto it, sign it and repackage it.

tools needed:


Let's get started:
  1. Open NuGet Package Explorer
  2. Open a package from an online feed
  1. Search for it and click open


  1. Save as into a known location
  2. On the package metadata, download all the dependencies by clicking on each one of them in the dependency list and then the download link
    1. locate all the dependencies dlls as well

  1. Extract the resulting main .nupkg file (as a zip) into a folder
    1. Locate the assembly file, keep that location
  2. Open ILMerge GUI
  3. Add the main assemblies and all the dependencies assemblies using the add assemblies button 
  1. Tick the Sign with key file checkbox and select the strong name key file
  2. Now back to the package explorer, we want to replace the package's assembly with the newly merged one and also change this new package's metadata, to distinguish it from the original package
    1. we're going to add a .Signed.Merged suffix to the name
    2. on the EDIT menu click Edit Metadata
    3. change only the Id field, by appending .Signed.Merged
    4. on the content drill down to the .dll and right click Replace with and select the newly merged assembly file
    5. save the package and you'll see the file name is automatically updated
  3. Place the new package in your own package repository
  4. Add a reference to the new package from Visual Studio using the Manage NuGet references or the Package Manager console and you're done!