search

triplea-game / triplea

TripleA is a turn based strategy game and board game engine, similar to Axis & Allies or Risk.
https://triplea-game.org/
GNU General Public License v3.0
1.32k stars 393 forks source link

Code Signing for TripleA #6598

Open DanVanAtta opened 4 years ago

DanVanAtta commented 4 years ago

Code signing keeps coming up:

A) To be very direct, code signing is a scam. The cost of the certificate is hardly justified. Essentially one is purchasing a very expensive but cheaply generated prime number. B) Renewing a certificate resets our reputation back to zero C) The annual cost is potentially significant, enough to add anywhere from 10% to +50% to our total operating costs D) It's a PITA and questionable.

Fundamentally, we produce hashes of our software and distribute those hashes. The real security of our software is that you can download the source and/or verify all of the source code and the hashes of the assets you download.

I suspect we'll never bypass the Windows defender security screen until we both have spent $500/year, more on incorporation, more importantly lots of time investment, and have reach some number of downloads after having done all that to get a pass on windows defender until such time that our cert if up for renewal. Getting off my soap box, I don't think we should pay for a certificate. I suggest we either find something that is free and gets us some value, or don't bother and let users make the choice of whether they trust our website or not.

https://virtualgl.org/DeveloperInfo/CodeSigningHell

Hopefully you can see how, from an open source point of view, code signing currently does more harm than good. I wouldn’t have even pursued it were it not for the fact that Apple and Microsoft (and Oracle before them) forced our hand. I firmly believe in letting users choose for themselves. If a user wants to install an unsigned package or application, or run an unsigned JAR file, then the O/S (or Java) should pop up a warning dialog but let them choose to proceed. Instead, independent software developers are forced to use an antiquated and draconian process (Windows, Java) or a vendor-locked and poorly-supported process with some major technical limitations (Apple) in order to identify themselves. From my point of view, this is more about reducing corporate liability than protecting users from malware. Code signing is antithetical to the idea of open source, since the philosophy behind open source is reproducibility— the ability to exactly reproduce the behavior of a binary distribution from source code given the same build procedure.

I would recommend we take up two action items:

  1. @prastle get a refund from Comodo and any downpayments we have issued toward any signing service.

  2. Research any free alternatives. I think this could be a candidate: https://github.com/vchain-us/vcn

RoiEXLab commented 4 years ago

code signing is a scam

Pretty much yeah, just like EV certificates vs regular certificates. Let's encrypt is probably the best thing that happened to the web in the last century. Hard to justify 100$ certificates vs a free one (where some companies actually ran shady ad-campaigns with a lot of false claims about security)

@prastle get a refund from Comodo and any downpayments we have issued toward any signing service.

I just checked: We can cancel the order, but the 30 day refund window already expired a long time ago. I can dm you the details @prastle if you want to go after goodwill and try, otherwise I think we can arrange something so we share the lost money so you don't have to pay for my neglectful behaviour.

Research any free alternatives

The big problem with free alternatives is that they all require user-action to verify the binaries like installing a chrome extension and stuff, they don't come built-in. Given the fact that we already publish hashes for our binaries we would barely gain any benefits from any alternatives, mostly user convenience for the few that actually care, not something I'd call satisfying

DanVanAtta commented 4 years ago

cc: @prastle

Just an FYI, any comments/thoughts welcome.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. If there is something that can be done to resolve this issue, please add a comment indicating what that would be and this issue will be re-opened. If there are multiple items that can be completed independently, we encourage you to use the "reference in new issue" option next to any outstanding comment so that we may divide and conquer.

DanVanAtta commented 4 years ago

I think the consensus (based on lack of objection) is that we won't do code-signing. We do generate a checksum for the distributions, for now that needs to be enough.