48

I've created a Metro-style C#/XAML application, and now I'm trying to add it to version control (Git and, later, GitHub). That means figuring out which files belong in version control and which don't.

When I created my Metro project, Visual Studio added a file to it called ProjectName_TemporaryKey.pfx. From what I've read, .pfx files apparently have something to do with code signing or certificates or something like that. I haven't found anything yet that explains exactly what they mean in the context of Metro-style apps, or how you're supposed to manage them.

I'm planning to push my code to GitHub (in a public repository). Longer-term, I plan to put my app in the Windows store. If the .pfx file is required to build the project, then I'd better check it in. If it contains a digital identity that identifies me as the app's author, and publishing it would let anyone on the Internet push new versions of my app to the Windows store without my knowledge, then I'd better not check it in.

So my question is, is there anything secret in the TemporaryKey.pfx file? Should I check it into my public repository, or should I leave it out of source control? (And what would break if I didn't put it into source control, but then wanted to check out my code on another computer?)

Joe White
  • 94,807
  • 60
  • 220
  • 330
  • 1
    That's an excellent question. While I don't have a good answer - it is fairly easy to generate a new key, so the code is still usable without it (just requires an extra step) - you need to go to your Package.appxmanifest/Packaging tab/[Choose Certificate...]/[Configure Certificate...]/[Create test certificate...] - that lets you create a new pfx file, which is also useful if the old one is invalid - e.g. when you upgrade your project from an older build of Win8 and the dev tools. – Filip Skakun Jul 04 '12 at 16:34
  • 1
    Okay, good to know. Do you know if anything will break if you generate a new test cert? Like, will you no longer be able to submit new versions of your app to the app store? Or will they not accept anything with a test cert in the first place -- do you have to buy a cert somewhere before you can submit to the app store? There has to be documentation for this somewhere, I just haven't been able to find it. – Joe White Jul 04 '12 at 21:26
  • Nope, sorry. I have not seen too many details for this and I don't have the store token yet or have published an app to the store myself. – Filip Skakun Jul 05 '12 at 07:30
  • Hm, sounds like the first comment is one closest to an answer...bottom line, I don't check it in? – flq Sep 05 '12 at 18:45
  • I tried removing the .pfx file from the project, and got a compiler warning that led me to this page: http://msdn.microsoft.com/en-us/library/windows/apps/br230260(v=vs.110).aspx ...Unfortunately, that page doesn't clarify whether the file is meant to be checked into version control or not. – Joe White Sep 06 '12 at 01:56

2 Answers2

37

The .pfx is used at the temporary code certificate to sign your app for deployment to your machine so you can debug. You can remove it, but a new temporary key will need to be generated (via the Packaging tab in the package.appxmanifest dialog). I always leave it in the code I post since it is easier on the person using the code (i.e., no error messages). If you look at some other WinRT source projects (MVVMLight, for example) they also include the .pfx for convenience.

If I understand things correctly, the temp .pfx is replaced during the Store submission process so you do not need to worry about the temp .pfx being used by someone else.

Jeff Brand
  • 5,623
  • 1
  • 23
  • 22
  • Yes, when you create app package for publishing to store purpose, a new key file $appname$_StoreKey.pfx will be generated. I always keep both $appname$_TemporaryKey.pfx and $appname$_StoreKey.pfx to version control. – Tealc Wu Jul 11 '13 at 17:57
  • 7
    Then, a following question would be ... once you publish the app, you get a `*_StoreKey.pfx` Is is unsafe to check in that one? – kiewic Nov 18 '15 at 02:25
  • I wouldn't check in the store key, especially not in a hosted repo that may be later shared with other team members. In VSTS you can use the "Secure Files" option for this, if you want to use Continuous Integration where you need the PFX again. – Patric Feb 08 '18 at 09:31
0

.PFX is your key (like a key for your home door). This is for code signing purpose with private key (passphrase required for security). No one can have it except the developer of the application. You can versioned it if you are the only one who have access to the repository, but someone can hack into it and then what...? Everyone can pretend you, author of the program. Sorry for my English.

Fu-Hsi
  • 3
  • 2
  • I understand what it's for, but are you saying that Jeff Brand's statement that "the temp .pfx is replaced during the Store submission process" is incorrect? If he's correct, then the temporary pfx is only used in debug mode on your local machine, never in the deployed application. – Joe White Jul 11 '17 at 12:12
  • "the temp .pfx is replaced during the Store submission process". My answer is general. You can use PFX cert generated by self with Makecert tool (https://msdn.microsoft.com/en-us/library/ff699202.aspx). Visual Studio generate it for you automatic, but it does not matter. For me, it cannot be published for anyone, because it contains private key without passphrase by default. – Fu-Hsi Jul 11 '17 at 14:26