Should we keep our sign key secret?

[zvirja]

Previously @ploeh kept the signing key for all the assemblies in secret. I'd like to discuss whether it indeed makes sense.

If we check other popular testing helpers, we'll find that all them has opened public key:

1. xunit - key is open.
2. nunit - key is open.
3. NSubstitute - key is open.
4. Moq - key is open.
5. FakeItEasy - key is open.
6. FluentAssertions - key is open.

I don't see too much sense to keep AF key closed and believe we can also add it to the repository. Indeed, signing allows to prove the assembly's identity, but I don't believe we strictly require that. Our days NuGet is used to distribute packages, rather than third-party sites where the identity indeed does matter.

If we publish key to the repository, that will have a lot of benefits:

1. It will be easier to generate NuGet with signed assemblies by CI.

2. It will be easier for people to make own AutoFixture assemblies and test whether it solves particular issue. Consider the following scenario:

   1. You found some bug in AF. You download source code locally and fix it.
   2. Now you have AF assemblies with fixed bug and you want to test whether it helped.

   Here is where the issues start. If you assemblies are unsigned, you cannot simply put the modified assemblies to the local NuGet cache - project will not compile. Rather, you need to update all your projects to target to a new assembly - just for a simple test. The things become even worse when that is the core AutoFixture assembly, as other depending libraries (like AutoFixture.xunit or AutoFixture.NSubstitute) will need to be updated as well.

   If we ship signing key issue will be solved.

3. You don't need to store one more secret :)

As for the @ploeh, it seems he didn't have strong reason to keep it secret.

Personally, I'd vote using both hands to open the key and simplify everybody's life.
Guys (@moodmosaic, @adamchester, @ecampidoglio, @klimisa) - what do you think about this?

[adamralph]

👍 to open the key.

[abatishchev]

👍 Don't see any reasons not to open it. How cares? I doubt anyone does.

[cvbarros]

Open the key and keep nuget.org privileges secret.

…

On Sun, 2 Apr 2017 at 14:16 Alexander Batishchev ***@***.***> wrote: Don't see any reasons not to open it. How cares? I doubt anyone does. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#746 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAwCvwwhRzzUb9d3jVblzyxrpqrWyUsJks5rr9fkgaJpZM4Mw2Pq> .

[moodmosaic]

Although I find the topic of discussion interesting, I have no opinion. Voting neutral on that one.

[zvirja]

@ecampidoglio and @adamchester Could you please add your opinions here as well?
I'm currently working on CI to have early builds for v4 and simplify the release procedure itself. I need the sign key on CI - so l need this decision.

[ecampidoglio]

I think it makes sense to open it up, especially considering the second point brought up in this comment.
Also, these days authenticity is guaranteed by the NuGet account that publishes the package, which certainly wasn't the case during the early days of AutoFixture.

So, sure, you can go ahead and commit the keys to the repo as far as I'm concerned. 👍

[adamchester]

👍 to open it up

[zvirja]

Thanks, agreed :)