What signing method to use for public open-source projects?

views:

answers:

+2 Q:

What signing method to use for public open-source projects?

I'm publishing an open-source library on CodePlex, and want the dll files to have strong names so that they can be added to GAC.

What's the best option for signing?

Should I use SNK? If so, everyone have access to the key. I don't have a problem with everyone having access, but is it a good approach?

Should I use PFX? If so, does it mean that other people downloading the source code are not able to build the solution?

What I like to do is that I am the only one person to have access to the key, so that the signed assemblies also have a level of authenticity, but meanwhile don't prevent other developers to download, build, or change the source code for themselves, and be able to post changes for the main project.

+4 A:

We've discussed this for Noda Time. I believe the consensus was that when we get round to strong naming, we'd have one key which only a few core developers have access to, and use that for release builds - but have another key which is publicly available. So anyone who wants to make sure they only run against a build they know has been "approved" by the project members can build against the public key token of the privately-held key, but anyone can download and build the "not as trusted" version.

An alternative to having the publicly available key is to just make most build configurations not strongly named - but I prefer the version where every build is strongly named, just so there are minimal differences between that and the full release build.

Jon Skeet 2010-03-26 07:49:45

So, you suggest that I have two keys in my projects. One SNK, which is the default key, and everyone gets to sign with that. Another PFX key, which has a password and I'm the only one who knows the password. When I want to do a release, I change the key preference, build the DLL and release it?Does publishing the PFX means that anyone with the knowledge of the password can use it? Because I rather want everything to be on the source control of the project.

Iravanchi 2010-03-26 08:06:04

@Irchi: No, I'm not suggesting PFX keys at all. I'm suggesting you have your own SNK which you keep secret. I know nothing about PFX. Wanting "everything to be on the source control of the project" is fundamentally incompatible with "What I like to do is that I am the only one person to have access to the key" unless you can specify "no-read" access within source control for some files.

Jon Skeet 2010-03-26 08:15:55

I don't think "no-read" is an option with the CodePlex TFS.

Steven 2010-03-26 08:18:52

@Steven: I wouldn't expect it to be, no.

Jon Skeet 2010-03-26 08:46:13

+1 A:

What I do with my projects on CodePlex is publishing the releases strongly signed with a SNK. This SNK however, is not in source control and not publicly available. Therefore, I am the only one who can strongly sign the assemblies with this key. I explained that here.

Steven 2010-03-26 08:17:43

As I mentioned in my answer, I think it's nice for the downloadable version to have a public SNK - that way you don't have as much of a change of environment when you move from "dev version" to "release version" - no differences around whether the build is signed etc. Just MHO though.

Jon Skeet 2010-03-26 08:47:36

ansaurus

tags:

views:

answers:

What signing method to use for public open-source projects?

related questions