In my understanding, git as version control system should track all resources or files that are necessary to build a software version.
If a private key file is needed for a server to function correctly (say to communicate with client that has the public key we distribute), then, should this private key file be tracked in git or somewhere else?
Best Answer
No it should not.
A key has different specifications to source code or program.
The product should not work without a key
It is specification of product that it does not work without a key. If you include the key in the distribution you effectively destroy its use.
A key should be easily replaceable.
In fact, sometimes it's needed to regularly replace it. And sometimes a deploy of a new version is a difficult and long process. Combine that with the need to rebuild your project to get a new key, and you have the recipe for a perpetual headache. If you do not require a rebuild to get the new key, then there is no reason to put the key into git - it's not used in building, bundling or testing your app.
Consider code audits.
An auditor needs to have access to source code to verify logic (and sometimes to a working program). They are not supposed to see (and hence be able to memorize) your private keys. I'm not going to go through whether it's realistic to memorize a 2048-bit key by glancing at it - sometimes reviews are done remotely.
A key does not need a history.
A key is not tied to the version of the software in most cases. Key change dates and reasons may be interesting, but those do not need to be available to everyone.
Keys are issued per company or per server, not per application.
Should you ever decide that you need a second server in another country with different laws and a different key, or allow a different company to run your server software as well, this is most important. Those should have different keys. Bundling your key with the app is a no-go then.
Keys should not be public information
Does your intern really need to have access to your production server key? Really? Does your compliance/security department concur?
There is but one key that you may want to include in Git - a test key for an internal test server or a local server. That will ease initial deployment and allow you to change key formats without making a company wide email asking all devs to change their local keys as well, while not invalidating the actual security and integrity of your production server.