Get a CA certificate for the FPA

[yorikvanhavre]

A CA certificate is a certificate issued by an authority (as opposed to a self-signed certificate), that certifies your identity. CA certificates are commonly used on websites, but can also be used to sign applications. CA certifcates can usually be purchased in different flavours (individual or corporate, with or without subdomains). It costs between USD 200 and 350 a year.

Note Linux Appimages are typically signed with gpg keys, and Apple installers with Apple developer IDs. So a CA certificate would basically only be of use to sign Windows packages. So purchasing a CA certificate would have two uses for the FPA:

• Certify the freecad.org website (and all of its subdomains)
• Sign the windows installer packages

A corporate, subdomain-enabled CA certificate would cost around USD 250 / year, would display "The FreeCAD project association" as the owner when someone requests security details at freecad.org, and would make the FreeCAD Windows installer signed by the FPA.

Microsoft recommends purchasing a certificate from their "partners" but they are more pricey at about USD 350 for a corporate certificate. Gandi.net, where the freecad.org domain is registered, also sells CA corp certifcates for around USD 250. Description of Pro certificates

Certificates come as SSL certificates which can be directly used with websites, but can also easily be converted to the pfx format (other tutorial) which is used by the signtool.exe tool to sign Windows executables.

The certificate comes as a SSL certificate and can be immediately used on websites, and can

[adrianinsaval]

Are they really the same? from what I understand a code signing certificate (for windows) is different from an SSL certificate.

And there seems to be different tiers for code signing certificates: https://stackoverflow.com/questions/48946680/how-to-avoid-the-windows-defender-smartscreen-prevented-an-unrecognized-app-fro/66582477#66582477

here certificates are offered with discount for opensource projects: https://shop.certum.eu/data-safety/code-signing-certificates.html?as_code_signing_rodzaj=5651

bot it's not clear to me if it's OV or EV

[yorikvanhavre]

What I read everywhere is that you can convert any ssl certificate to pfx if you have a crt file that the authority provides too. So the thing is to verify that point prior to buying.

But there is one thing I was not aware, Microsoft has a list of trusted authorities. Buying a certificate outside of those approved apparently is not much better than a self-signed one. Gandi is not in that list, so that option is not good for us.

The certum cert is interesting, it's cheap, and certum is in the approved list. But indeed I can't find if it includes verification of the FPA (that would be EV) or not. It also seems to come with a complex bundle of card reader and proprietary system... Might not be very practical, because it will allow only one person (who has the card) to sign

I think we need to look further...

[adrianinsaval]

I think MS now requires that you use that kind of card for the code signing certificate.

they also have regular EV certificates: https://shop.certum.eu/data-safety/code-signing-certificates.html?as_code_signing_rodzaj=5653

but those aren't cheap so I don't know if that's convenient

[yorikvanhavre]

Indeed this is more expensive than we thought... But it would still be doable if it is worth it, I guess that's what we need to look at I guess... I see as inconvenients:

• It's expensive, around $400/year
• Only one person has the physical card and can sign the package

And on the plus side:

• It allows people to install FreeCAD on Windows without any warning <-- That's what we need to make sure of. From the stackoverflow you cited above, it's not guaranteed and takes some time

[adrianinsaval]

EV certificates are instantaneous as I understood it, that's why they are so much more expensive. But I'm not sure if it's worth it, since eventually the warning also goes away for an unsigned executable. The non EV certificate is only worth buying if we are going to make several point releases within the year, after an initial release with that certificate all point releases with the same certificate should be trusted.

[yorikvanhavre]

Yes the more I think of it the more it seems like we're getting bullied into buying an expensive product, and that somehow "it will never be enough".

Let's leave this running and research more, though.

[yorikvanhavre]

Considering godaddy: https://www.godaddy.com/web-security/ev-ssl-certificate

• USD 200/year
• 5/7 days to obtain
• No physical device (needs a private key)
• Can be converted to pfx

[yorikvanhavre]

Bought today - paid via Paypal. Waiting on purchase confirmation and start of the validation process

[yorikvanhavre]

update - we had to provide a letter written by a lawyer ( #90 ) attesting that the FPA exists. This is now done and being analyzed by godaddy...