Code Signing with VSTS and GitHub Sources

1
votes

Like others I use GitHub for my open source projects. Now I want to use VSTS as build and release service instead of AppVeyor.

In future I want to sign all my NuGet packages.

but: where should I store my certificate file (pfx)?

  • VSTS does not have a keyvault
  • I do not want to store my pfx file on GitHub or any other public place

My Ideas

  • I could store pem (base64) into a build var and create with openssl during the build the certificate (pfx)
  • I could store the pfx file on a private and secured blob storage and download the pfx during the build

What is the best practise here?

1
visual-studionugetazure-pipelinesazure-artifacts
You could still use Key Vault. Look at this blog for some inspiration. - Jeroen Heier
I didn't try this example, but it might work for you in a combination with Download Secure File VSTS task. - Oleg Burov

1 Answers

1
votes

Both your two ideas looks good for me. And since you are using VSTS which only support private repository, you can also create a private repository in your VSTS account to store the pfx file and then add a task in your build/release definition to get the file during the build/release.