Consider signing the release

crazy-max / WindowsSpyBlocker

Block spying and tracking on Windows

https://crazymax.dev/WindowsSpyBlocker/

MIT License

4.67k stars 363 forks source link

Consider signing the release #155

Open savchenko opened 5 years ago

savchenko commented 5 years ago

Subj. As the side-effect, should help with the false positives on VirusTotal.

crazy-max commented 5 years ago

It was discussed here. Since the cost of a software certificate to sign an app is expensive and I'm a one-man-army on this project, it will stay as it is for now. I could reconsider that if I get enough donations :gift:

savchenko commented 5 years ago

Fair point, let's take a look at the options:

Digicert "Friends & Family" - USD 74$ per year, not sure if they include hardware token in this price.
Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.

From the above, Certum looks more advantageous. Thoughts?

crazy-max commented 5 years ago

Digicert "Friend & Family" - USD 74$ per year, not sure if they include hardware token in this price.

That looks ok for me. I can use Microsoft Authenticode (digital certificates) and so signtool.

Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.

Certum requires a physical hardware device and I don’t want to be the only one who can release the app. I prefer to be able to sign code with Microsoft Authenticode through signtool and use it on TravisCI.

savchenko commented 5 years ago

I don’t want to be the only one who can release the app

Could you elaborate why? I would imagine the opposite to be true.

crazy-max commented 5 years ago

Could you elaborate why? I would imagine the opposite to be true.

It's more about to be able to automate the build process (and so code signing) through TravisCI while making a release. If I add permission to someone (member scope) on GitHub he will be able to produce a signed release and so do not need a physical hardware device.

savchenko commented 5 years ago

:money_with_wings:

crazy-max commented 5 years ago

Thanks a lot for your donation @asvc :heart:

beerisgood commented 4 years ago

As free solution you can sign your binary with your GPG key, provide the key details (ID + fingerprint) with the public key and that's it. Then we can verify it's really from you.

As source for the public key you can upload it on your github rep + use keys.openpgp.org so get a mirror and also a second place to verify the key and protect it against manipulation on a single point of failure

If you then add checksums, like SHA512, then we also can verify that the file isn't changed in it's integrity or if the download is somehow corrupt