Autofixture: Should we keep our sign key secret?

Previously @ploeh kept the signing key for all the assemblies in secret. I'd like to discuss whether it indeed makes sense.

If we check other popular testing helpers, we'll find that all them has opened public key:

1. xunit - key is open.
2. nunit - key is open.
3. NSubstitute - key is open.
4. Moq - key is open.
5. FakeItEasy - key is open.
6. FluentAssertions - key is open.

I don't see too much sense to keep AF key closed and believe we can also add it to the repository. Indeed, signing allows to prove the assembly's identity, but I don't believe we strictly require that. Our days NuGet is used to distribute packages, rather than third-party sites where the identity indeed does matter.

If we publish key to the repository, that will have a lot of benefits:

1. It will be easier to generate NuGet with signed assemblies by CI.
2. It will be easier for people to make own AutoFixture assemblies and test whether it solves particular issue. Consider the following scenario:

1. You found some bug in AF. You download source code locally and fix it.
2. Now you have AF assemblies with fixed bug and you want to test whether it helped.

Here is where the issues start. If you assemblies are unsigned, you cannot simply put the modified assemblies to the local NuGet cache - project will not compile. Rather, you need to update all your projects to target to a new assembly - just for a simple test. The things become even worse when that is the core `AutoFixture` assembly, as other depending libraries (like `AutoFixture.xunit` or `AutoFixture.NSubstitute`) will need to be updated as well.

If we ship signing key issue will be solved.

1. You don't need to store one more secret :)

As for the @ploeh, it seems he didn't have strong reason to keep it secret.

Personally, I'd vote using both hands to open the key and simplify everybody's life.
Guys (@moodmosaic, @adamchester, @ecampidoglio, @klimisa) - what do you think about this?