Open Madis0 opened 5 months ago
Linux... doesn't have signing in the slightest and I don't think signpath provides macOS, you need the 99$/yr apple developer program for that I think
There's also https://www.sigstore.dev/, which is potentially better because of big names backing it up (some previous attempts did become paid, presumably due to lack of funding).
I don't think sigstore is recognized by any real entity as a code signing cert?
In that case, I guess sigstore is for code signing (which we don't necessarily need for this project) while SignPath is for binary signing.
I think sigstore is more for docker containers and such and making sure the software wasn't tampered with on the way through rather than "can this be reasonably considered virus-free"
Fabulously-Optimized/fabulously-optimized#849 needs to be merged and verification integrated in here to meet Signpath Foundation reqs
Need to fulfill these criteria as well https://github.com/SignPath/Website-old/blob/v2/src/drafts/oss_policy.md
Maybe it is worth it to use this, have to consider https://about.signpath.io/product/open-source Ideally it'd support all OSes then, not just Windows