Open NuclearMonster opened 7 years ago
maxcrofts
commented
7 years ago Microsoft calls it Authenticode: https://msdn.microsoft.com/en-us/library/windows/desktop/ee416211.aspx
The documentation has instructions for incorporating the signing process into a build system. Essentially signtool would have to be run by Jenkins as part of the build process in order for the test builds to be code signed.
timangus
commented
7 years ago The hard part is getting a code certificate really. You need to be a legal entity in order to qualify for one. Also, they cost a couple of hundred $ a year, or thereabouts.
adanski
commented
7 years ago Certum used to offer free certificates for open source projects. Unfortunately, they do not do it anymore but their current offer sounds good too.
https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
DavidLudwig
commented
6 years ago I've done work with Apple code signing before. I might be able to help with that, at least a bit.
The hard part, in my experience, is setting up infrastructure to reliably sign new Apple-OS builds. That definitely includes maintaining certificates, however, that pain can be alleviated a bit (but not 100%) through use of calendar software, and perhaps some docs (enough to guide people through it).
There's also the issue of designating private-key ownership and distribution, and making sure it doesn't get posted to unwanted places, like, say, Github.
NuclearMonster
commented
3 years ago Big update for notarization on Macs in this Twitter thread: https://twitter.com/rosyna/status/1402065462641364997
liqube
commented
2 years ago Even if you use a standard Code Signing certificate on Windows it'll show that message until several thousand people have downloaded your build. And that's for every new build you release. The goal here is to push you to buy an Extended Verification (EV) code signing certificate, which give you certain, errm, advantages. That, of course, they can shove up theirs.
Don't even bother, save your sanity.
timangus
commented
2 years ago It isn't as many as thousands, for what it's worth. Even on a small project it only takes a small amount of time for that to go away. Also it's not every build, only when the certificate is new. I'm with you though in general though, code signing is basically extortion. There is no reason for it to be (relatively speaking) so expensive.
liqube
commented
2 years ago Well at this point in time we're looking at about 700 USD per year for EV, which is pretty much not doable for most small business, or at least start-up phases. Prices for non-EV have in the recent year tactically been raised quite a bit to make it look more inviting to "just pay these 200 USD extra".
About the "warnings", I wish I could say it's only when a certificate is new. I've had it for every new build, across 8 years time, with different issuer certificates, from low-end to high-end. I never got to a point where I can just release a build because my certificate's been in use for 2 years. This is all a very opaque business, extortion as you said, so nobody really understands what triggers what, and why these things happen. After all it all drives us to buying EV in the hopes, and this is key - playing with hopes - the worst play there is, that we can just pay this and continue to focus on coding our thing here.
On the web we have movements like "Let's Encrypt" that helped a lot. Of course this one renews every month or so, which makes it semi-unsuitable as proof of origin. Here's me hoping that one day we'll have a similar thing for code signing, with focus shifting away from monetization of the people who produce software that keeps a platform alive towards offering these people an incentive of producing software, and offering the users who download the software improved and strict proof of origin.
I have to point to Kevin Burton's excellent summary of the topic here: https://www.youtube.com/watch?v=mwuk0E-tfeg
timangus
commented
2 years ago Hmm well, that's not my experience. I've used a bunch of CAs over the years and it usually only takes a week or so for the "people don't download this much" warning to go away after a certificate is issued, on relatively low traffic projects. I certainly have never seen it again after it goes away, i.e. after doing new builds. I'll have a watch of your youtube dude when I get a chance... My biggest gripe with code signing (besides the extortionate costs) is all the documentation you need to supply and phone calls you have to make and receive. It all takes so long and is so ridiculously token gesture-like, that I can't imagine it prevents actual fraud very often, not that it's a fraud vector that I expect is ever used in the first place. People just click through the installation of unsigned apps anyway. Shrug.
liqube
commented
2 years ago I fully agree. This whole thing, use obsolete software and services, needing to use very specific browsers, waiting for them to respond to problems – that pretty much every single person must experience – with no solutions, being forwarded, having all these documents at hand, sending them several times, and again, having to sign up with certain things I don't want to sign up (like Google Business, or shady "business directories") to be verified as a company (when really I am already verified in 20 other ways, legally), then needing to install Skype again because they require it to have a face to face talk with them, sign a paper, and hold it in the camera, all seems like a huge joke, and I'm sure they are aware of it.
So how does that help making it safer for the user to not accidentally install bad software? It doesn't. And you're right, they just click through unsigned apps anyways. Especially when unsigned apps look exactly the same as signed apps.
I'll second the shrug here ;)
Modern operating systems that are protective of their user's data present error messages when our binaries are executed because we don't sign our code. This sucks for our users because they experience extreme friction that prevents them from playing Quake 3 and games based on Quake 3, and it will only get worse for applications that don't sign over time as new operating systems make it more difficult to workaround this security measure and run unsigned code. We should probably fix it on our end, though I would guess you can't do that entirely in public on github because you'd be including our keys for whatever signing authority, perhaps we could at least include some pieces of scaffolding for a future release to sign executables?
In some magical ideal world our test builds from Jenkins would even be code signed.
Apple has documentation for macOS here: https://developer.apple.com/library/prerelease/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
Which has very easy to read language to explain the situation:
I'm not immediately finding a good starting point for Windows' code signing, they probably have some marketing name I'm not immediately aware of, will look again when I get a chance.