chris2511
commented
7 months ago SHA256 sums of all released binaries are always available here
Closed tushev closed 11 hours ago
chris2511
commented
7 months ago I used the certum signing cert in the past, but they changed the token and I have to buy a new token, again ... No one told me that open source software can be so expensive - for the author... 🤷
tushev
commented
7 months ago Thank you for your reply! Yes, sadly, the price makes quite a barrier.
GPG, on the other hand, is free. If you could sign binary-hashes.json with your GPG key, those concerned would be capable to actually prove that binaries are coming from you. Please consider this if possible.
P.S. Just FYI, there's also https://about.signpath.io/product/open-source , they sign 'significant' OSS projects for free, but they require a CI pipeline in which they integrate themselves. Personally I did not bother with setting it for my OSS projects (yet).
dtklein
commented
5 months ago @chris2511, I value proof of provenance and tamper-resistance for security-sensitive software, such as XCA. If the price of smart cards and readers is a barrier to getting and using a code-signing certificate to provide this, please contact me privately, and I will see what needs to be done to help you with this.
Wernfried
commented
1 week ago Perhaps it could be a solution to sign the application with a self created certificate. Then users can import the CA into their certificate store. Of, course in some corporate environments, people lacks permission to do that, but in many cases it would be possible and the Anti-Virus Software / Windows Defender will be happy...
chris2511
commented
11 hours ago I now possess a "code-sing-in-the-cloud" certificate that I can use to sign the next MSI installers. At least for the next 12 months.
Will take a look at https://about.signpath.io/product/open-source, which looks promising
Hi,
I would like to ask you to consider signing the binaries and installer - not to get rid of AV warnings, but for authenticity reasons.
AuthentiCode signatures, unfortunately, cost some money ($29/yr + $60 for card+reader = $89 at Certum OpenSource Signing).
But even (detached) GPG signatures would be OK. I (and probably many others) would like to be sure that the binaries are really coming from (and authorized by) you.