Signing .NET assemblies by passing the public/private pair key

kosunix's Avatar

kosunix

09 Feb, 2018 08:47 AM

Hi! I want to signing .NET assembly using snk key which will be passed from UI via environment variable but I did't find any appropriate way to do that. Could you suggest what will be the best way to signin .NET assembly without exposting private/public keypair file to public repository. I am OK that public key presented in repo with delay signing option but want to have private key stored securely. Thank in advance!

  1. Support Staff 1 Posted by Ilya Finkelshte... on 09 Feb, 2018 05:58 PM

    Ilya Finkelshteyn's Avatar

    I would recommend to use secure variable. It is safe to keep your secrets in encrypted form in public repo.

  2. 2 Posted by kosunix on 09 Feb, 2018 06:04 PM

    kosunix's Avatar

    Thank you for suggestion Ilya but I don't have string but rather then file like file1.snk.

  3. Support Staff 3 Posted by Ilya Finkelshte... on 09 Feb, 2018 06:07 PM

    Ilya Finkelshteyn's Avatar

    Sorry missed that. Then use secure file.

  4. 4 Posted by kosunix on 10 Feb, 2018 10:09 AM

    kosunix's Avatar

    Great advice and it works fine. I think about completelly delete any private key even encrypted from repo? Is it possible current scenario? Because based on approach with secure file I need to hold in repo public.key to support delay siging assemblt by strong name and private encrypted.key. A lot of secure info available public :)

  5. Support Staff 5 Posted by Ilya Finkelshte... on 10 Feb, 2018 11:55 AM

    Ilya Finkelshteyn's Avatar

    You have to hold some secret in encrypted form in repo anyway. If it is not file, then encrypted base-64 string or encrypted password to network storage whith you private key.

    To avoid any secrets in repo you can use private build server. It is possible with private build cloud where you can have your own build VMs. This option is available for Premium accounts now (trial is free). You can even install you own AppVeyor (not only build VMs) on your premises or private cloud with AppVeyor Enterprise.

  6. 6 Posted by kosunix on 13 Feb, 2018 04:25 PM

    kosunix's Avatar

    I see your point. Is it possible to use similar to secure-file as tool for exctraction private-public key pair from key.snk then encrypt content of file and represent as base64 string that can be used later as secure variable?
    It is allows me to delete encrypted file from repo and hold in one place one encrypted variable.

  7. 7 Posted by kosunix on 13 Feb, 2018 04:25 PM

    kosunix's Avatar

    I see your point. Is it possible to use similar to secure-file
    <https://www.nuget.org/packages/secure-file/> as tool for exctraction
    private-public key pair from key.snk then encrypt content of file and
    represent as base64 string that can be used later as secure variable?
    It is allows me to delete encrypted file from repo and hold in one place
    one encrypted variable.

  8. Support Staff 8 Posted by Ilya Finkelshte... on 13 Feb, 2018 05:07 PM

    Ilya Finkelshteyn's Avatar

    Please look at this sample. This is not exactly what you ask about but very similar. You do not need secure-file with this scenario, you convert what you need to Base-64 string and then encrypt this on your machine. Then you check-in encrypted value to your repo. Decode and and convert from Base-64 during the build.

  9. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:26 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac