SergeBakharev
commented
2 weeks ago Signing OSS software has the additional challenges in the form of not having a single business entity or owner.
I've short listed these two Signing vendors which have OSS friendly options:
SignPath looks better since they provide an easy to use GitHub action and the signing can be done during build automation. Certum's solution requires the smart card they use to be accessible by the build system, as well as having additional costs for the smart card itself.
We should sign our artifacts so that users know that they are using artifacts that haven't been tampered. This is a requirement for execution on some computers that have restrictive trust policies.
This is increasingly more important as platforms are imposing restrictions on unsigned software. Software running on Windows and MacOS will show warnings and popups when executing binaries that are unsigned.
Code signing currently is challenging for OSS software on Windows and MacOS because they don't trust self-signed CAs.