tag:help.appveyor.com,2012-11-13:/discussions/questions/217-signing-net-assemblies-without-exposing-the-snk-file-publiclyAppVeyor: Discussion 2018-08-25T01:37:39Ztag:help.appveyor.com,2012-11-13:Comment/320062272014-03-10T17:43:12Z2014-03-10T17:43:12ZSigning .NET assemblies without exposing the snk file publicly<div><p>I would use the following approach:</p>
<ol>
<li>Encrypt .snk file contents using symmetric algorithm.<br></li>
<li>Put encrypted .snk into repository.<br></li>
<li>During the build get passphrase used to encrypt .snk file from
environment variable and decrypt .snk file.</li>
</ol>
<p>Pros:<br>
1. You can encrypt files of any length.<br>
2. Environment variable holds passphrase only.</p>
<p>Encrypt/decrypt example for PowerShell: <a href=
"http://gallery.technet.microsoft.com/scriptcenter/PowerShell-Script-410ef9df">
http://gallery.technet.microsoft.com/scriptcenter/PowerShell-Script...</a>
(in your case it would be even shorter as you work directly with
file stream, not strings).</p>
<p><code>sn.exe</code> is part of Windows SDK which is installed on
build servers. You may find this and other utilities in
<code>C:\Program Files (x86)\Microsoft SDKs\Windows\v8.1A\bin\NETFX
4.5.1 Tools</code> folder.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/320062272014-03-11T07:04:54Z2014-03-11T07:05:05ZSigning .NET assemblies without exposing the snk file publicly<div><p>That's a great generalized approach, thanks!</p>
<p>It looks like I can include a pfx (a password protected
certificate) in the source and then invoke a command to digitally
sign the exe with the password for the certificate specified in the
command line. I'm considering doing this instead of strong-name
signing.</p>
<p><strong>Questions:</strong></p>
<ol>
<li>Are commands/scripts specified in the UI for something like
after_build publicly visible, either directly or through build
reports/logs? These being only visible to build administrators
would be necessary if I embed it directly in the command.<br></li>
<li>I tested adding an encrypted value to an appveyor.yml file
(contains 3 lines in total) and now all of my build configuration
in the UI is being ignored - I was expecting this, since I recall
reading it somewhere. However, I thought I would double-check - can
you confirm that leveraging the encrypted value functionality of
Tools -> "Encrypt data" requires switching completely to an
appveyor.yml file?</li>
</ol></div>jcwtag:help.appveyor.com,2012-11-13:Comment/320062272014-03-11T18:00:54Z2014-03-11T18:00:54ZSigning .NET assemblies without exposing the snk file publicly<div><p>Answers to your questions:</p>
<ol>
<li>
<p>Yes, those scripts are visible in build log. But I guess it's
not a problem unless only logic are being put there, not a
sensitive info. Definitely, knowing crypt/decrypt algorithm does
not help if you don't know a key/passphrase ;)</p>
</li>
<li>
<p>Not necessary, you can put your sensitive data to environment
variables ("Environment" tab). Those variables are not shown in the
build log.</p>
</li>
</ol>
<p>So, the general approach for your solution would be:<br>
1. Put signing function into, let's say "Install" or "Befor build"
scripts sestion.<br>
2. Set certificate password to environment variable on Environment
tab.<br>
3. Use this variable in the script to sign exe.</p>
<p>Let me know if you have any questions.</p></div>Feodor Fitsner