Docker.DotNet, X509, BasicAuth: Should be signed releases

[jterry75]

In order for uses to include Docker.DotNet and other binaries in the GAC (for non .NET Core scenarios) they need to be signed.

[jterry75]

Looking for feedback here:

I don't want to limit the communities ability to create privates and use them. Does anyone know the best practices for .NET signing binaries in the public? From what I can tell people include the Key.snk in the project and you can sign the binaries on your own if building privates. However this doesn't offer any protections of authenticity given the key is public if we use this same key for NuGet. For official releases to NuGet I would sign these with a private key known only to me. (Uh... Hit by a bus scenario anyone?)

The issue I see here is mostly that these two keys will never be the same and thus people who are making privates will be constantly switching between strong names of different keys. Are there any issues here other than requiring rebuild? Maybe that isn't even a problem since if you are using privates you are rebuilding anyways. Ideas?

[galvesribeiro]

@jterry75 I would suggest you to ping @sergeybykov

He is the head of Orleans project and we sign Orleans public bits on every release. I know it is a costly process but he may be able to guide you with the internal MSFT process to get there.

As for public custom builds, anyone can tap in the build process using their preferable tool and sign the dll.