Open Source project - Strong named assembly RRS feed

  • General discussion

  • Hi

    What is "best practice"-way or most common way to handle strong named assemblies/projects that are open source? Lets say I have a Visual Studio project/assembly at GitHub and I want to deploy it to NuGet and I want to sign it, have it strong named. What is the best way to handle this?

    Strong-Named Assemblies: Here they say, If you are an open-source developer and you want the identity benefits of a strong-named assembly, consider checking in the private key associated with an assembly into your source control system. But is that really correct. Someone else can use the strong-name key and try to tamper an assembly.

    Another approach is to actually sign the assembly on build but not checking in the "Strong name key"-file. Some one else who builds the cloned project from GitHub will have a build error if not putting their own key-file in the right location.

    Is "delay signing" a good option?

    I guess their are multiple solutions for this but I would like to know a "best practice"-way to handle it.

    Regards Hans

    • Moved by Tina-Shi Tuesday, November 25, 2014 6:30 AM the issue is related to the CLR issue
    • Changed type Fred Bao Friday, December 5, 2014 9:08 AM The discussion is more suitable for this case
    Monday, November 24, 2014 12:23 PM

All replies

  • Hi Hans,

    Thank you for posting in MSDN forum.

    Since this forum is discuss the VS IDE issue, we will move this case to Common Language Runtime Internals and Architecture forum, it will be better support this issue.

    Best Regards,

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, November 25, 2014 6:29 AM