Should I add my Metro app's TemporaryKey.pfx file to version control?
https://stackoverflow.com/questions/11303535
-
18-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've created a Metro-style C#/XAML application, and now I'm trying to add it to version control (Git and, later, GitHub). That means figuring out which files belong in version control and which don't.
When I created my Metro project, Visual Studio added a file to it called ProjectName_TemporaryKey.pfx. From what I've read, .pfx files apparently have something to do with code signing or certificates or something like that. I haven't found anything yet that explains exactly what they mean in the context of Metro-style apps, or how you're supposed to manage them.
I'm planning to push my code to GitHub (in a public repository). Longer-term, I plan to put my app in the Windows store. If the .pfx file is required to build the project, then I'd better check it in. If it contains a digital identity that identifies me as the app's author, and publishing it would let anyone on the Internet push new versions of my app to the Windows store without my knowledge, then I'd better not check it in.
So my question is, is there anything secret in the TemporaryKey.pfx file? Should I check it into my public repository, or should I leave it out of source control? (And what would break if I didn't put it into source control, but then wanted to check out my code on another computer?)
Solution
The .pfx is used at the temporary code certificate to sign your app for deployment to your machine so you can debug. You can remove it, but a new temporary key will need to be generated (via the Packaging tab in the package.appxmanifest dialog). I always leave it in the code I post since it is easier on the person using the code (i.e., no error messages). If you look at some other WinRT source projects (MVVMLight, for example) they also include the .pfx for convenience.
If I understand things correctly, the temp .pfx is replaced during the Store submission process so you do not need to worry about the temp .pfx being used by someone else.
OTHER TIPS
.PFX is your key (like a key for your home door). This is for code signing purpose with private key (passphrase required for security). No one can have it except the developer of the application. You can versioned it if you are the only one who have access to the repository, but someone can hack into it and then what...? Everyone can pretend you, author of the program. Sorry for my English.
