Please publish your signing fingerprint

[rodwiddowson]

Intro

This is by way of a follow up from wixtoolset/web PR#230 which in turn was entered in response to wixtoolset/discussions #7746

TL;DR

You need to publish the fingerprint for your signing key somewhere. Otherwise projects that care about supply chain attacks will not be able to used Wix4. This explains why I need it

Detail

(from the discussion)

We need to be able to do independent verification that the certificate and key we're verifying against is indeed the one you intend, so that we don't find ourselves incorrectly verifying against a key that isn't yours.

This is usually done by listing the (public part of) the keys on a project owned website [2], and some people chose to check them into their source repository[3]. I haven't been able to find them for you - can you point us at them?

I'd appreciate any help you can provide to get me through this knot-hole - if I can get our installers building and passing our supply chain tests I am happy to try to reciprocate by producing some sort of "how to" guide for others.

[2] https://downloads.apache.org/logging/KEYS
[3] https://github.com/eclipse/jetty.project/blob/jetty-11.0.16/KEYS.txt

[rodwiddowson]

This link is a real world example of the attack that we currently defend against in the java world.

I don't know how Nuget works but it may well be the same (module some extra 'trust' because of commerically issued keys).

Please please please think of actioning this. We are currently blocked on V3 because of this issue - I have a complete CI chain ready to roll but until I can trust your uploaded artefacts I cannot use it