What signing method to use for public open-source projects?

Question

I'm publishing an open-source library on CodePlex, and want the dll files to have strong names so that they can be added to GAC.

What's the best option for signing?

Should I use SNK? If so, everyone have access to the key. I don't have a problem with everyone having access, but is it a good approach?

Should I use PFX? If so, does it mean that other people downloading the source code are not able to build the solution?

What I like to do is that I am the only one person to have access to the key, so that the signed assemblies also have a level of authenticity, but meanwhile don't prevent other developers to download, build, or change the source code for themselves, and be able to post changes for the main project.

Answer 1

What I do with my projects on CodePlex is publishing the releases strongly signed with a SNK. This SNK however, is not in source control and not publicly available. Therefore, I am the only one who can strongly sign the assemblies with this key. I explained that here.

Answer 2

We've discussed this for Noda Time. I believe the consensus was that when we get round to strong naming, we'd have one key which only a few core developers have access to, and use that for release builds - but have another key which is publicly available. So anyone who wants to make sure they only run against a build they know has been "approved" by the project members can build against the public key token of the privately-held key, but anyone can download and build the "not as trusted" version.

An alternative to having the publicly available key is to just make most build configurations not strongly named - but I prefer the version where every build is strongly named, just so there are minimal differences between that and the full release build.