Sign gsudo with a Code-Signing certificate, so the UAC pop-up doesn't show 'Unknown Publisher'

[rasa]

You can get a code signing cert for 25 euros #1

See https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-1022.html per https://github.com/gerardog/gsudo/blob/master/backlog.md#other-not-so-likely-ideas

Spend 500 USD in a code-signing certificate so I can sign the builds. I need to setup an https web site for gsudo or myself first as a prerequisit to get the certificate.

[gerardog]

Thanks for the information @rasa.

Certum used to provide really cheap certificates for download under their previous model. But now they provide a hardware device and activation codes, quote:"'Warning. The Standard Code Signing certificate is compatible only with the CryptoCertum 3.2 cryptographic card". Requiring the usb device is not something I personally like much, But what alternatives exists?

I believe Microsoft lists all certificates providers here, which are: (cheaper first)

Certum Open Source Cloud Signing Eur 49 for 1yr, but a custom software (SimplySign) needs to be installed and activated. Can the signing be automated via SimplySign? Certum for Open Source with usb device Eur 69 for 1yr includes the device, and Eur 25 yearly renewal (just an activation code). Ssl.com => $129 for 1yr. (no usb device AFAIK) Sectigo $179 for 1 yr (w/USB device) Entrust price not listed, "from $299 per year" (probably in a 5yr or so contract) (w/USB device) GlobalSign $289 for 1 yr, (key on a USB device or in Azure Key Vault, not sure how SignTool works using azure kv..) Symantec $499 for 1 yr (not sure if USB or cert download) DigiCert $499 for 1 yr (no USB AFAIK)

So, looks like Certum is the cheapest one as you pointed out, but at $69 + shipping, since I need to buy the device first. Then $25 yearly.

But... Looks like resellers have cheaper prices... I my... this is gonna take a while...

[gerardog]

I finally bought Certum Open Source Cloud Signing for 1yr/Eur 49. The application is being verified by them. Lets see how long does this take.

[gerardog]

Update: Certum instructions are half polish half English, so Google Translate is a must. I had to sent personal documentation by mail without much security. The Certum SimlySign mobile app is not listed on Google Play for my market (Argentina) and/or phone model (Samsung S10, pretty popular). I had to download the APK and install manually. I received an activation code on Christmas eve that I didn't activate until december 26 because, holidays. By that time, the link and activation didn't worked, showing a generic error ("Incorrect data has been entered"). I checked thru all the docs available to find out the code expires after 24 hours. It took me 8 mails and 3 business days for the tech support team to send me a new activation code. Now I have the software setup on both my desktop and mobile, but I am still unable to sign, the certificate issued type is "non-qualified" and I suspect I need a 'code-signing' certificate.

[gerardog]

I was wrong about the "non-qualified" certificate. I misunderood the docs. I thought I needed to use a custom app to sign on the cloud. Turns out Certum SimplySign installs a virtual SmartCard and you can sign using Microsoft's SignTool

I wrote a little bit about the whole experience here.

I've uploaded release v0.5 with its code signed.

[DRSchlaubi]

So since I recently also started trying certum and I am wondering whether you resolved the automation issue with automation?

I see you have since switched to a sectigo certificate which is going to expire in a month, as I used sectigo myself before I wasn't surprised, but they bumped their prices by 3x because of new hardware requirements, and I doubt you want to pay 300$ to renew your certificate.

Certum does offer a cloud solution for 50$/yr, but even though the mention "simple API integration," I could not find any information about how to actually use that.

The only github actions friendly option I found was ssl.com eSigner however that alone is 20$/month (i have contacted them about OSS discounts, and their "sales team is investigating it", however, I would not hold my breath for that)

So do you have any plans yet for new signing?

[gerardog]

I don't recommend Certum at all. Here I described my journey trying to use it. You can't automate code signing with it as it requires a token from a custom app on your phone each time, and a custom signing device driver. Regarding sectigo, I bought a 1 year certificate. but weeks after that, I received a free 3yr certificate donation from Parag Mehta. from https://signmycode.com/. So, two more years to go! I am using that certificate in my automated gsudo build pipelines and works great.

[DRSchlaubi]

Thx for your informatin

[m-kuhn]

We are another open source project (https://github.com/opengisch/QField/) in need for that. I definitely would like to integrate it into a github action build pipeline (and as your solution here seems to be based on github actions), but trustworthy information about this seems to be scarce. Which of the offerings on signmycode.com are you finally using to be integratable with automation? I assume the HSM, YubiKey one (?) but I am not yet clear how that would be delivered and injected into the pipeline. Thank you for any hint in this direction !

[gerardog]

Things have changed on this matter in the last year. It's no longer possible to just download the private key and upload it as a GitHub Secret as I did.

All those options seem to depend on a Hardware Security Module, either provided by them and shipped, or already purchased by you. An HSM is physical device, so won't work with your cloud-based pipeline.

When my cert expires I'll be forced to investigate and find a solution.

I don't have an authoritative answer, but a quick search pointed me at ssl.com which seems to provide one alternative: https://www.ssl.com/guide/code-signing-automation/ The online page is confusing wheter the more expensive EV certificate is needed, or a cheaper standard code sign cert will work, to enroll in the eSigner service that GitHub Actions will use.

Another provider worth exploring is: Azure Code Signing...

[DRSchlaubi]

This change also caused certificates to triple in price + the signing cloud solution. I currently use Certum and run the sign tool step on my personal PC using a self hosted ci runner

I would be interested in how you solve this since I am looking for a better solution

[gerardog]

I would be interested in how you solve this since I am looking for a better solution

What I did back then is not possible nowadays since the rules have changed.

It's no longer possible to just download the private key and upload it as a GitHub Secret as I did.

[DRSchlaubi]

What you did back then is exactly what I used to do, but my certificate was a 1yr cert instead of a 3yr cert, so I got hit by that change before you were, however, paying 400$/yr + the ssl.com codesigner fee is simply not feasible for an OSS project as you're probably well aware, so if you find any way to solve this please tell me

[m-kuhn]

Things have changed on this matter in the last year. It's no longer possible to just download the private key and upload it as a GitHub Secret as I did.

All those options seem to depend on a Hardware Security Module, either provided by them and shipped, or already purchased by you. An HSM is physical device, so won't work with your cloud-based pipeline.

And I thought Apple is complicated and restrictive :laughing:

I don't have an authoritative answer, but a quick search pointed me at ssl.com which seems to provide one alternative: https://www.ssl.com/guide/code-signing-automation/ The online page is confusing wheter the more expensive EV certificate is needed, or a cheaper standard code sign cert will work, to enroll in the eSigner service that GitHub Actions will use.

What you did back then is exactly what I used to do, but my certificate was a 1yr cert instead of a 3yr cert, so I got hit by that change before you were, however, paying 400$/yr + the ssl.com codesigner fee is simply not feasible for an OSS project as you're probably well aware, so if you find any way to solve this please tell me

Same here, this price range is just off

Another provider worth exploring is: Azure Code Signing...

Apparently it's now called Azure Trusted Signing, it looks interesting but I am failing to set it up

[m-kuhn]

I was able to set up azure trusted code signing now with https://github.com/Azure/trusted-signing-action

[DRSchlaubi]

That's still 120 USD a year isn't it?, also does it come with a certificate?

[m-kuhn]

Yes, that's 120/year. I wouldn't call it very FOSS friendly. The signing happens on azure. You use an api via credentials, so no cert is downloaded.

[DRSchlaubi]

Well 120 USD is still a lot better than the 300+$ you need for traditional certificates, but still looks like Microsoft doesn't want OSS to sign.

The cheapest option is to publish in the MS Store, which signs your code "for free" after a 25$ one-time registration fee

[m-kuhn]

That needs a UWP, correct?

[DRSchlaubi]

They've added support for msi and other installers, but I am not sure whether they sign those, since afaik they don't even host them