I'd like to understand some of the best practices with respect to code signing. We have an Eclipse-based application and think it would be appropriate to sign our plug-ins. This raised a lot of questions:
Can/Should the private key be in source control?
Should we sign the code as part of our nightly build process or as part of our release process?
Should the code be signed automatically, or is there a reason why that should be a manual step?
My inclination is to say, "Yes", "Nightly", and "Automatically", but I could see an argument for only signing the release products. I might even make the argument that SQA should sign the code after they have verified it, although that would really mess with our release process.
How do other people manage this?