Hi
What is "best practice"-way or most common way to handle strong named assemblies/projects that are open source? Lets say I have a Visual Studio project/assembly at GitHub and I want to deploy it to NuGet and I want to sign it, have it strong named. What is the best way to handle this?
Strong-Named Assemblies: Here they say, If you are an open-source developer and you want the identity benefits of a strong-named assembly, consider checking in the private key associated with an assembly into your source control system.But is that really correct. Someone else can use the strong-name key and try to tamper an assembly.
Another approach is to actually sign the assembly on build but not checking in the "Strong name key"-file. Some one else who builds the cloned project from GitHub will have a build error if not putting their own key-file in the right location.
Is "delay signing" a good option?
I guess their are multiple solutions for this but I would like to know a "best practice"-way to handle it.
Regards Hans