Signing code as part of the build process

Question

Signing code as part of the build process

I would like to understand some of the best practices regarding code signing. We have an application based on Eclipse and we consider it appropriate to sign our plugins. This raised a lot of questions:

Can / should there be a private key source of control?
Should we sign the code as part of our overnight build process or as part of our release process?
Should the code be signed automatically, or is there a reason why this should be a manual step?

My inclination is to say “Yes,” “Night,” and “Automatically,” but I could only see the argument for signing the release products. I can even argue that SQA must sign the code after it checks it, although it will really be related to our release process.

How do other people deal with this?

+5

process eclipse-plugin code-signing

Chris arguin Aug 25 '09 at 17:33

source share

2 answers

, , . , . . Contiguos , , , , (.. , corp). , , .

, ( ). , - . , , .

+3

Remus Rusanu 25 . '09 17:42

Michael · Accepted Answer · 2009-08-25T17:39:30+0000

Depending on how secure your private key is, this may not be what you want a temporary worker with access to the source to have full access to.

In my work, we do the following:

A "sign test", as part of our daily build, with a proven key. This requires that the test root certificate is located on computers to trust binary files, but they are not trusted if the bit is deployed outside the company.

( ), . , . .

Signing code as part of the build process

More articles: