Proposal: Code Signing

[wjk]

I was reading through the conversation on #113 and came to the part about possibly GPG-signing packages for security purposes. As an extension of this idea, would it be possible to set up some sort of Authenticode infrastructure so that the EXEs/DLLs/whatever installed by a package can also be signed, not just the package itself?

While I could theoretically purchase an Authenticode certificate from e.g. DigiCert, the truth is I just don't have the budget to. And, apparently, neither do thousands of other Windows developers. Just about every software installer I have ever run is unsigned — including some software in the community feed itself! (See ChocolateyGUI#295.)

If this proposal is accepted, I would very much appreciate the root certificate for the Authenticode infrastructure being placed into the Trusted Publishers certificate store when Chocolatey is installed, so that Windows considers files signed with certificates derived from it to be signed by a valid authority. In addition, essentially free code-signing through Chocolatey would provide another incentive for developers like me to develop their applications for this service and not use (insert horrible adware-bundling download site here) instead.

Disclaimer: I am not security expert. If anyone spots any potential holes in what I have suggested, please let me know. Also, please note that I would only recommend modifying the Trusted Publishers store if doing so would not open the machine to a Superfish-style SSL vulnerability. Thanks!

[ferventcoder]

That's pretty interesting.

[RichiCoder1]

If and when you get an answer to this, I'd be curious @ferventcoder. Looking into this myself now, especially since Gui escelates by default (something I'd like to fix eventually)

[TheCakeIsNaOH]

After previous discussion with @gep13, this issue depends on #508, as code signing has been added to newer nuget versions.