Code Signing on Windows and macOS about ioq3 HOT 10 OPEN

It isn't as many as thousands, for what it's worth. Even on a small project it only takes a small amount of time for that to go away. Also it's not every build, only when the certificate is new. I'm with you though in general though, code signing is basically extortion. There is no reason for it to be (relatively speaking) so expensive.

from ioq3.

Certum used to offer free certificates for open source projects. Unfortunately, they do not do it anymore but their current offer sounds good too.

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

from ioq3.

Big update for notarization on Macs in this Twitter thread:
https://twitter.com/rosyna/status/1402065462641364997

from ioq3.

Well at this point in time we're looking at about 700 USD per year for EV, which is pretty much not doable for most small business, or at least start-up phases. Prices for non-EV have in the recent year tactically been raised quite a bit to make it look more inviting to "just pay these 200 USD extra".

About the "warnings", I wish I could say it's only when a certificate is new. I've had it for every new build, across 8 years time, with different issuer certificates, from low-end to high-end. I never got to a point where I can just release a build because my certificate's been in use for 2 years. This is all a very opaque business, extortion as you said, so nobody really understands what triggers what, and why these things happen. After all it all drives us to buying EV in the hopes, and this is key - playing with hopes - the worst play there is, that we can just pay this and continue to focus on coding our thing here.

On the web we have movements like "Let's Encrypt" that helped a lot. Of course this one renews every month or so, which makes it semi-unsuitable as proof of origin. Here's me hoping that one day we'll have a similar thing for code signing, with focus shifting away from monetization of the people who produce software that keeps a platform alive towards offering these people an incentive of producing software, and offering the users who download the software improved and strict proof of origin.

I have to point to Kevin Burton's excellent summary of the topic here:
https://www.youtube.com/watch?v=mwuk0E-tfeg

from ioq3.

Hmm well, that's not my experience. I've used a bunch of CAs over the years and it usually only takes a week or so for the "people don't download this much" warning to go away after a certificate is issued, on relatively low traffic projects. I certainly have never seen it again after it goes away, i.e. after doing new builds. I'll have a watch of your youtube dude when I get a chance... My biggest gripe with code signing (besides the extortionate costs) is all the documentation you need to supply and phone calls you have to make and receive. It all takes so long and is so ridiculously token gesture-like, that I can't imagine it prevents actual fraud very often, not that it's a fraud vector that I expect is ever used in the first place. People just click through the installation of unsigned apps anyway. Shrug.

from ioq3.

I fully agree. This whole thing, use obsolete software and services, needing to use very specific browsers, waiting for them to respond to problems – that pretty much every single person must experience – with no solutions, being forwarded, having all these documents at hand, sending them several times, and again, having to sign up with certain things I don't want to sign up (like Google Business, or shady "business directories") to be verified as a company (when really I am already verified in 20 other ways, legally), then needing to install Skype again because they require it to have a face to face talk with them, sign a paper, and hold it in the camera, all seems like a huge joke, and I'm sure they are aware of it.

So how does that help making it safer for the user to not accidentally install bad software? It doesn't. And you're right, they just click through unsigned apps anyways. Especially when unsigned apps look exactly the same as signed apps.

I'll second the shrug here ;)

from ioq3.

Microsoft calls it Authenticode:
https://msdn.microsoft.com/en-us/library/windows/desktop/ee416211.aspx

The documentation has instructions for incorporating the signing process into a build system. Essentially signtool would have to be run by Jenkins as part of the build process in order for the test builds to be code signed.

from ioq3.

The hard part is getting a code certificate really. You need to be a legal entity in order to qualify for one. Also, they cost a couple of hundred $ a year, or thereabouts.

from ioq3.

I've done work with Apple code signing before. I might be able to help with that, at least a bit.

The hard part, in my experience, is setting up infrastructure to reliably sign new Apple-OS builds. That definitely includes maintaining certificates, however, that pain can be alleviated a bit (but not 100%) through use of calendar software, and perhaps some docs (enough to guide people through it).

There's also the issue of designating private-key ownership and distribution, and making sure it doesn't get posted to unwanted places, like, say, Github.

from ioq3.

Even if you use a standard Code Signing certificate on Windows it'll show that message until several thousand people have downloaded your build. And that's for every new build you release. The goal here is to push you to buy an Extended Verification (EV) code signing certificate, which give you certain, errm, advantages. That, of course, they can shove up theirs.

Don't even bother, save your sanity.

from ioq3.