Search code examples
visual-studionugetazure-pipelinesazure-artifacts

Code Signing with VSTS and GitHub Sources

Like others I use GitHub for my open source projects. Now I want to use VSTS as build and release service instead of AppVeyor.

In future I want to sign all my NuGet packages.

but: where should I store my certificate file (pfx)?

  • VSTS does not have a keyvault
  • I do not want to store my pfx file on GitHub or any other public place

My Ideas

  • I could store pem (base64) into a build var and create with openssl during the build the certificate (pfx)
  • I could store the pfx file on a private and secured blob storage and download the pfx during the build

What is the best practise here?

Solution

  • Both your two ideas looks good for me. And since you are using VSTS which only support private repository, you can also create a private repository in your VSTS account to store the pfx file and then add a task in your build/release definition to get the file during the build/release.