Sign TripleA binaries

[RoiEXLab]

In some cases the TripleA installer is blocked by Windows Smart Screen when trying to execute it. Also we have this Problem with the Mac installer (from the triplea website):

If you get a "TripleA is damaged and cannot be opened" warning, follow these steps: Apple menu > System Preferences > Security & Privacy > General tab under the header "Allow applications downloaded from:" Change "Allow Applications Downloaded From:" to "Anywhere" This setting will reset to "Mac App Store and identified developers" every 30 days, you may need to repeat this step.

Signing the binaries created by install4j (a built in feature of install4j) requires a certificate (which are not free). Most of the certificates start at 100$ a year which is definitely too much. Many forums and websites link to this site: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml certum seems to offer certificates for opensource projects for about 30€, one-time-purchase. The donations should be able to pay for that. Using travis we'd probably need to base64 encode the private key file into an ENV var and the base64 decode it back into an actual file.

The question: Is it worth it?

[ssoloff]

I don't use TripleA a lot on Windows, but when I do test the installer, I agree that it is annoying hitting SmartScreen. However, note that simply signing an app does not preclude SmartScreen from flagging the app. SmartScreen examines the "reputation" of the certificate used to sign the app, so until enough "valid" installs are performed, SmartScreen will continue to engage. (I suppose that's Microsoft's way of encouraging developers to buy an EV certificate, which immediately provides a high reputation to bypass SmartScreen without requiring any previous installs.)

Regarding Travis... Yeah, you'll probably have to base64-encode the PKCS #12 file containing the certificate and private key. It's probably a good idea to password protect the .p12 file, in which case, the password would have to be added to the Travis environment, as well. It appears that install4j supports password-protected keystores in headless builds using the --win-keystore-password and --mac-keystore-password command line parameters (there's supposedly equivalent configuration parameters for the Gradle task).

Regarding Certum... Note that the €28 quote for the OSS certificate assumes you have a smart card and reader (presumably they don't just email you your certificate :smile:). If you want them to provide the hardware, the price triples to €86.

[DanVanAtta]

The mac installer problem has been an issue. I recall removing the "mac read this first" file that was deployed with the game, only problem is you could not read that file until after installation, and it was the file that told you how to bypass the installer warning :face_with_head_bandage: .

30€ one time is not that much in the long run, even €86 one-time. IMO would be worthwhile. Talk to @prastle for financing, if you give the details to him he can pay from the TripleA paypal donation fund. My 2 cents, at around $200~$300+ it starts not being worth it.

[ron-murhammer]

I'm fine either way on this. If we can get a cheap cert that resolves the warnings then great. If it ends up costing hundreds or doesn't actually resolve them then probably not worth it.

[DanVanAtta]

@RoiEXLab sounds like you may have the ball on this one. Would you mind summarizing next steps to be taken to close this issue down?

[RoiEXLab]

Well the first step would be to optain such a certificate. Price will actually be higher, the 80€ are without taxes and shipping. Since this is a Polish company and the distances to Germany is not that great I'd offer to order this myself using the donations, but maybe it's a better idea to have the actual owners order the certificate. The following steps would be pretty straight forward: base64 encode certificate files and integrate them into the travis build so install4j can use them

[RoiEXLab]

TL;DR Should I just order the certificate myself? @DanVanAtta

[prastle]

@RoiEXLab @DanVanAtta Sadly I transfered almost all of the donations to the Linode account. BUT! We have a little cash left in paypal still. (I wont do that again) I just didn't think we needed any certificates from a past conversation. Either way any future donations can be used towards these costs since there should be enough money in the Linode account to cover the next 12 months. Approx. $72.00 Us atm left in PayPal

[DanVanAtta]

@RoiEXLab yeah, if you could follow through, work with @prastle .

@prastle :money_with_wings:

[RoiEXLab]

@DanVanAtta small downside I just noticed now, the certificates are not valid forever, just a single year. Binaries signed in the past don't expire, but we are going to need to pay another 30€ every year to keep signing our binaries. Since this is less than the monthly server costs, I assume this is okay, please tell me if it is not.

@prastle Please tell me once 136€/160$ (current value) are reached

[prastle]

Okie Dokey @RoiEXLab

[prastle]

Some good news! Just got a small windfall from and old customer. Unexpected money is always nice :)

If you give me the details ill pay it myself @RoiEXLab

[RoiEXLab]

Will do on Gitter @prastle

[prastle]

think ur asleep :) but no worries! think you or dan should open that account with what ya need. Just need account details for email transfer. Or Paypal or charge card.

[prastle]

Thanks for walking me through it @RoiEXLab hope that helps :)

[RoiEXLab]

When creating the certificate, what should I choose as organisation name? Candidates: TripleA TripleA Org TripleA Organisation TripleA Developers TripleA Development Team Other suggestions?

@DanVanAtta @ron-murhammer @ssoloff

[ssoloff]

I looked at some other open source projects to see what ON they use on their certificates:

• The ones that had registered non-profit corporations obviously used the corporation name.
• The ones that did not have a corporation used the name of an individual involved in the project. I couldn't find any that used something else like the project name.

Without any other OSS projects to use as guidance, my vote would be for "TripleA", "TripleA Development Team", or "TripleA Community".

[prastle]

We are non-profit but not registered. This really only matters if we have over $10 000.00 in donations a year from what I read with Pay Pal. Maybe just stick with TripleA?

[RoiEXLab]

So summing up: Valid name considerations are still:

• TripleA (I'd like to avoid that one, as this is not a good name for a group)
• TripleA Development Team (My favourite ❤️ )
• TripleA Community (Sounds good as well, like the idea behind it)

@DanVanAtta @ron-murhammer Your vote?

[RoiEXLab]

bumping @DanVanAtta @ron-murhammer I'd really like to hear your vote on this, otherwhise I'll interpret this as "go with your favourite"

[DanVanAtta]

Do you have any idea what other projects do? My first inclination was to use the project name, but I don't know what is common practice here. I don't have a terribly strong preference one way or the other at the same too as well.

[prastle]

im fine with the Donkeys :) all up to u guys np here

[prastle]

like the bottom 2 @RoiEXLab if my vote matters preferably 2

[RoiEXLab]

@DanVanAtta I just checked a couple of projects: OBS uses the main developers name, (btw. also a certum certificate) Atom uses "Github Inc." VLC Media Player uses "VideoLan" (org name) PostgreSQL uses "OPEN SOURCE CONSULTING GROUP INC"

So none of them use the actual Project Name, I wouldn't do either.

Edit: Notepad++ uses Notepad++ as name, still not conviced this is a better idea

[RoiEXLab]

@prastle Everyones vote matters ^^ This name is going to be pretty permanent (at least for one year), that's why I'm asking for everyones agreement.

[RoiEXLab]

@ all I will go for 'TripleA Development Team' then unless anyone defenitely wants something else Currently still waiting for that card reader to arrive here, taking longer than expected (@prastle somethig else arrived ^^)

[ron-murhammer]

@RoiEXLab I'm fine with any of those 3 suggestions.

[prastle]

ok @RoiEXLab but you also received shipping invoice in your email correct? So it is on its way right?

[RoiEXLab]

@prastle Yes, it's on its way... Should arrive in the next couple days

[prastle]

Awesome!

[ssoloff]

@RoiEXLab This is just a reminder to update the installer with whatever organization name you chose for the certificate. Currently, the publisher is set to "TripleA Developer Team". (It's quite possible that this will happen automatically when you add the certificate to the installer, but just in case...)

[DanVanAtta]

Second reminder:

• pls update dev_docs so we know in a year what to do.
• update/simplify user documentation, the mac 'read me first' file for example can now be removed and our mac steps simplifiied

How will we remember in a year to update the cert once more? I'm curious what we'll do to remind ourselves so we don't get the "expired cert" bug report.

[RoiEXLab]

@DanVanAtta Will do!

I'm curious what we'll do to remind ourselves so we don't get the "expired cert" bug report.

Maybe add an entry to our calendar? :D PRobably the best we can do... Will have to create the certificate anyways, once this card reader arrives, still hasn't arrived, but I got a notification this morning that it arrived at a german mail company. + I already know exactly what I'm going to do once it arrives, I read the travis docs etc. to properly encrypt it and on how to disable signing automatically if no cert is available

[ssoloff]

I'm curious what we'll do to remind ourselves so we don't get the "expired cert" bug report.

Too bad there's no @RemindMeBot for GitHub issues. :smile:

[RoiEXLab]

Hmm unfortunately we can't define a completely custom name for the certificate :( But we can't complain for about 150$/year less than normal prices... I will register the certificate on my behalf then, still not satisfied though :/

[RoiEXLab]

I'm pretty upset right now, so excuse me if I'm overreacting on things. As it turns out Cerum only offers certificates when private keys are stored on Smart Cards. This makes exporting the certificate + private key impossible. I'm claiming a refund now, and I already found a slightly more expensive alternative, it costs twice as much, but no crypto equipment is required, which is a good sign. @prastle I hope you don't mind me trying to get the money onto my own bank account, to be able to pay at the other service without your help.

I will probably purchase the certificate for 2 years, as this ultimately saves us 20€ and is about the same price we payed for the crypto equipment + certificate.

Although 60€/year is not very cheap, it is affordable. If the donations are not sufficient, I will pay this amount on my own, as some sort of donation.

If anyone disagrees on this decision, please let me know.

[prastle]

I have np with this @RoiEXLab but I think they will probably just refund my credit card. The current balance is $168.75 USD plus my refund. If the site you are using takes paypal we can do it that way. Or now that you are home I can transfer you the funds. Up to you.

[prastle]

@RoiEXLab I am away today but I will be on later. Let me know if you need my help. GL

[RoiEXLab]

@prastle Probably not in the next couple of days, except you want to pay before the refund is payed. The Problem is going to be the refund is going to be significatly less that the initial price. Full Price - Shipping - Smart Card (Not the reader, but the small little chip because it can't be reused now). I expect the refund to be about 90€ of 130€ :/

[RoiEXLab]

@DanVanAtta @ron-murhammer @ssoloff I'm required to go to a notary (or similar) in order to get my identity verified, unless we register the TripleA org as a company. I really don't know anything about registering companies and the different possibilities there are, the question is: Is it worth it? We'd be required to pay taxes etc. and worry about much more stuff. I just wanted to tell you about this possibility, and like to hear what you think.

[DanVanAtta]

I don't know if registering as a non-profit would give us any benefit or even change much of anything. Is the notary just an extra nuisance, or is there any extra implication or liability to you @RoiEXLab if you proceed?

This all does seem like one damn giant scam though, to think we also will have to pay yearly for these privileges... At this point, I would wonder what is common for other open source projects to do in this situation. We do have a few lawyers that play, this all may be a better question for the forum where some of them may be able to chime in.

[RoiEXLab]

@DanVanAtta It's just another nuisance + extra fee in order to verify my identity (which apparently cannot be proved by my ID + bank documents etc. only). It'll be one-time only, so that won't be a major problem. The good thing is that there's no time limit on any decision. We can get a full refund any time until we haven't proven my or any other identity.

A code signing Certificate is normally designed for companies, normally comodo requires customers to be a company which can be avoided by the mentioned step (but not really obvious, the gogetssl (tge reseller I ordered from) support (nice and competent people) told me about it, the comodo support however didn't mentioned anything.

It's really a question of benefits and downsides. Would you mind creating a forum thread about this? You know probably more about all of this stuff than I do 😅

[DanVanAtta]

Would you mind creating a forum thread about this? You know probably more about all of this stuff than I do :sweat_smile:

If we want further legal clarification, that is our best route. Sounds like the notary is just a nuisance.

I appreciate the high thoughts, but I am a humble linux user and the binary signing and certs do not come up at all. I actually know very little about this process, just what is being reported and mainly that is from your research.

It does seem like Win10 and MacOS do have a successful scam going here : )

[RoiEXLab]

@DanVanAtta I actually meant the legal stuff, e.g. the discussion about making the TripleA Org an actual company, but ok.

It does seem like Win10 and MacOS do have a successful scam going here

The Problem is not so much Microsofts or Apples policies, but much more the actual implementation of trust systems in the Internet. Getting a certificate for any purpose is somewhat like getting a new id card with the exception you can only buy them from capitalistic companies, not from a government that has all the information about you. That's why let's encrypt is such a great thing. Big Companies (like Google or Mozilla, and many more) created a foundation to make secure connections on the Internet easily accessible for everyone with a valid domain entry.

[prastle]

@RoiEXLab @DanVanAtta @ssoloff Just a ? But if we are not for profit is there somewhere we can be registered that has no taxes for non - profit? Also if we are registered non-profit pay pal fees go down ;) Just some info.

[prastle]

In addition Pay pal doesn't care unless over $10 000 in donations. Thus I would assume same for USA etc.

[DanVanAtta]

@RoiEXLab what are next steps here?

@prastle if there is benefit to us being a non-profit, I think that is probably worthwhile picking up in a new issue. WE need to coordinate that effort, but the benefits to do so I think need to be discussed first for it to be worth doing at all.

[prastle]

It was just a general comment. We need to be incorporated as non profit to get those savings. But yes there is a benefit. Paypal fees are reduced slightly. But unless we are over 10 000 dollars in donations this might be a completely moot point. I was mainly asking to discover if TripleA was registered already.

[prastle]

Good news is it might help @RoiEXLab with above as well. @DanVanAtta

[RoiEXLab]

@DanVanAtta I really have little knowledge about what needs to be done. Especially because it's the german right system and I need to check what comodo exactly wants/needs and what I need to do for it.

The other option would be to get a refund and send the money to someone of you living in America, might make some things easier (and cheaper? I don't know if an official translation of the document is needed) to have one of you order the certificate. And do the same steps that I'd need to take.

Making TripleA a company is just some sort of plan c which is probably going to br equally complicated, but might make some things easier in the future.

[prastle]

@DanVanAtta sent a gitter message about the probs.