Do I need to secure my strong name key file for an open-source project?

Question

I'm creating a starter kit that installs the compiled assemblies from an open-source project into the GAC to make it easier to reference the assemblies in the template. Since they're going in the GAC, they need to be signed.

Do I need to password protect and secure the key file, or is it okay to leave it open and include the file in source control?

Answer 1

Strong name signing has several purposes (though not for actual protection against tampering with the program, as is common misconception) - in your case the usage of a strong key for uniquely identifying (and verifying) a specific version of a specific assembly, which is required by the GAC. The other usage, which is preventing spoofing by other assemblies, doesn't seem necessary in this case (correct me if I'm wrong). For this reason, I would believe that it's perfectly acceptable to leave the key open (not password protected) and include the file in source control. As far as I can see, you're not going to stop anything you don't want by password protecting the key. (However, if you could provide more detail on the security context, I might have to revise that view.)

Also, see this MSDN article for a great thorough discussion of how to properly use strong name signing in general.

Answer 2

I would say include a 'development' key in source control, to make building easier and avoid forcing people to faff around with creating and using their own key. The key in source control is meaningless security-wise, since anyone can sign with it. If people want to sign their build of your open-source project, they can substitute their key which they can manage any way they like.

You could also provide builds for download, signed with a secured key (that you don't give anyone), but for people to want to use these binaries they would need to trust you. Are you trustworthy? :)