I've only recently come into the pleasure of being able to sign executables. Now I'm trying to establish a proper place in our build/publish process where assemblies should be signed.
My first instinct was to sign as early as possible (in a post-build event) to make sure what is being signed is what the builder intended it to be.
But this would (in our case) require every developer to have full access to the private key, which might be undesirable.
The other idea would be to only sign if we're publishing, so that signing is performed rarely and by a small amount of people. But is that too late?
Does a best practice exist?
An organization can have a closely guarded key pair that developers do not have access to on a daily basis. The public key is often available, but access to the private key is restricted to only a few individuals. When developing assemblies with strong names, each assembly that references the strong-named target assembly contains the token of the public key used to give the target assembly a strong name. This requires that the public key be available during the development process.
You can use delayed or partial signing at build time to reserve space in the portable executable (PE) file for the strong name signature, but defer the actual signing until some later stage (typically just before shipping the assembly).