I am using Visual Studio 2017 to develop and publish an ASP.NET web app using Web Deploy against IIS. My web app assembly is signed, so my project contains a .snk file in the root folder. When I deploy the web app to the server, the .snk file is sent over as well.
I imagine this is not a good idea, as the .snk contains a private key that must be kept secure. I don't like the idea of having copies of my .snk file scattered over various web servers. As far as I understand, Visual Studio should use this file to sign my assembly when the solution is built, and not deploy it to the server.
Am I correct? If so, how can I stop Visual Studio from deploying this file to the server?
Unless specified otherwise, an SNK file is not served by IIS as a valid MIME type. When someone types the url to the file in the browser they will get a 404.
If you do not want it send to the server in the first place you can also delete it from Visual Studio Explorer, but still keep the file in the folder (note that VS will delete the file also, so you need to copy it to the folder again manually in Windows Explorer).
A cleaner solution would be to create a wpp.targets file and specify the files/folders for exclusion in the publish.
In your case the file would look something like this: MyProject.wpp.targets
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ExcludeFromPackageFiles Include="MyFile.snk">
<FromTarget>MyProject.wpp.targets</FromTarget>
</ExcludeFromPackageFiles>
</ItemGroup>
</Project>