I've been using both consumer keys to sign all of my requests from day
one.
I still think the issue is related to URL encoding somehow, because I
can successfully post tweets if they don't contain troublesome
characters (apostrophe, for example).
But, so long as Twitter remains silent, we'll
I dont think you got my point. Whether you were signing using both secrets
or one secret doesnt matter because twitter wasnt verifying signature at
all. Now they have fixed this and all your protected service requests must
be signed by both secrets.
My problem is how to protect the consumer
I have the same issue with my application. Desktop apps are forced to
either embed the consumer keys in source code or construct some sort
of elaborate server mechanism. There's no good answer here.
When my application approaches 1.0 release, I'll probably use
Dotfuscator or something similar
