Best practices for signing CodePlex projects?

Sep 18, 2012 at 2:13 AM

I'd like to sign my (.Net) project and give it a strong name. Having an authenticated signiature would be nice, but that's a second issue.

  • I could sign on the command like and upload the signed artifact, but leave the source building without a signature step.
  • I could check in a keyfile with no password.
  • I could check in a password protected keyfile and set the debug build not to sign.

None of these are perfect and I'm sure I'm missing options. This has to be a well-solved issue for loads of projects. Any best practices to recommend?

I know that there are two separate issues involved: 1) creating a strong name for an assembly that ensures it a) hasn't been tampered with and b) hasn't been accidentally replaced (both ensuring that the downloaded file stays intact) and 2) authenticating that the assembly comes from the same source you think it does (or at least from the same source as the last time you downloaded).

Uploading the (unauthenticated, unprotected) key file would allow anyone to sign an assembly to satisfy some variant of issue 1. Maybe that is the best plan? It's just a self-signed key, after all. Anyone wanting to make and sign a variant from the source could just make their own.

But I thought I'd ask before checking in a change.