Should i StrongName / Strong-Sign an OSS dll?

Question

I have a number of Open Source projects that also have Nuget packages available.

Recently, I was asked to Strong-Sign one of these OSS NuGet packages (well, the DLL in the package, to be more concise).

So - questions:

1. If I strong-sign it, can other dll's that are NOT strong signed, use it?
2. Do/should I commit my .snk file into the public repository? If yes, wouldn't that defeat the purpose of having it 'secretly' signed?

Cheers!

Answer 1

It's an interesting set of questions.

If I strong-sign it, can other dll's that are NOT strong signed, use it?

I believe the answer is yes. Strong signing is a means to create "chain of trust". You can use strongly signed dll's without strongly signing the consuming dll.

Do/should I commit my .snk file into the public repository? If yes, wouldn't that defeat the purpose of having it 'secretly' signed?

Yes. If you publish the .snk file you defeat the purpose of strong signing (for the most part) because anyone can sign your dll. People who want to consume a publicly available source project should take responsibility for signing for their own uses. If you have a customer that wants it or only distribute the project in binary form then you can sign it but keep your private key (snk) private.