I’d like to understand some of the best practices with respect to code signing. We have an Eclipse-based application and think it would be appropriate to sign our plug-ins. This raised a lot of questions:
-
Can/Should the private key be in
source control? -
Should we sign the code as part of
our nightly build process or as part
of our release process? -
Should the code be signed
automatically, or is there a reason
why that should be a manual step?
My inclination is to say, “Yes”, “Nightly”, and “Automatically”, but I could see an argument for only signing the release products. I might even make the argument that SQA should sign the code after they have verified it, although that would really mess with our release process.
How do other people manage this?
It depends on how secure you want your private key to be, it might not be something that you want a temporary employee with source access to have full access to.
At my work, we do the following:
“Test sign” binaries as part of our daily builds with a checked in key. This requires a test root certificate to be on machines in order to trust the binaries, but they will not be trusted if the bits are deployed outside the company.
Weekly (and for external releases), we sign with the real key. This is done via a separate, somewhat manual process. Only a few people have access to the key to sign the product.