Closed tushev closed 1 month ago
I used the certum signing cert in the past, but they changed the token and I have to buy a new token, again ... No one told me that open source software can be so expensive - for the author... 🤷
Thank you for your reply! Yes, sadly, the price makes quite a barrier.
GPG, on the other hand, is free. If you could sign binary-hashes.json
with your GPG key, those concerned would be capable to actually prove that binaries are coming from you. Please consider this if possible.
P.S. Just FYI, there's also https://about.signpath.io/product/open-source , they sign 'significant' OSS projects for free, but they require a CI pipeline in which they integrate themselves. Personally I did not bother with setting it for my OSS projects (yet).
@chris2511, I value proof of provenance and tamper-resistance for security-sensitive software, such as XCA. If the price of smart cards and readers is a barrier to getting and using a code-signing certificate to provide this, please contact me privately, and I will see what needs to be done to help you with this.
Perhaps it could be a solution to sign the application with a self created certificate. Then users can import the CA into their certificate store. Of, course in some corporate environments, people lacks permission to do that, but in many cases it would be possible and the Anti-Virus Software / Windows Defender will be happy...
I now possess a "code-sing-in-the-cloud" certificate that I can use to sign the next MSI installers. At least for the next 12 months.
Will take a look at https://about.signpath.io/product/open-source, which looks promising
Hi,
I would like to ask you to consider signing the binaries and installer - not to get rid of AV warnings, but for authenticity reasons.
AuthentiCode signatures, unfortunately, cost some money ($29/yr + $60 for card+reader = $89 at Certum OpenSource Signing).
But even (detached) GPG signatures would be OK. I (and probably many others) would like to be sure that the binaries are really coming from (and authorized by) you.