Comments (10)
It isn't as many as thousands, for what it's worth. Even on a small project it only takes a small amount of time for that to go away. Also it's not every build, only when the certificate is new. I'm with you though in general though, code signing is basically extortion. There is no reason for it to be (relatively speaking) so expensive.
from ioq3.
Certum used to offer free certificates for open source projects. Unfortunately, they do not do it anymore but their current offer sounds good too.
https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
from ioq3.
Big update for notarization on Macs in this Twitter thread:
https://twitter.com/rosyna/status/1402065462641364997
from ioq3.
Well at this point in time we're looking at about 700 USD per year for EV, which is pretty much not doable for most small business, or at least start-up phases. Prices for non-EV have in the recent year tactically been raised quite a bit to make it look more inviting to "just pay these 200 USD extra".
About the "warnings", I wish I could say it's only when a certificate is new. I've had it for every new build, across 8 years time, with different issuer certificates, from low-end to high-end. I never got to a point where I can just release a build because my certificate's been in use for 2 years. This is all a very opaque business, extortion as you said, so nobody really understands what triggers what, and why these things happen. After all it all drives us to buying EV in the hopes, and this is key - playing with hopes - the worst play there is, that we can just pay this and continue to focus on coding our thing here.
On the web we have movements like "Let's Encrypt" that helped a lot. Of course this one renews every month or so, which makes it semi-unsuitable as proof of origin. Here's me hoping that one day we'll have a similar thing for code signing, with focus shifting away from monetization of the people who produce software that keeps a platform alive towards offering these people an incentive of producing software, and offering the users who download the software improved and strict proof of origin.
I have to point to Kevin Burton's excellent summary of the topic here:
https://www.youtube.com/watch?v=mwuk0E-tfeg
from ioq3.
Hmm well, that's not my experience. I've used a bunch of CAs over the years and it usually only takes a week or so for the "people don't download this much" warning to go away after a certificate is issued, on relatively low traffic projects. I certainly have never seen it again after it goes away, i.e. after doing new builds. I'll have a watch of your youtube dude when I get a chance... My biggest gripe with code signing (besides the extortionate costs) is all the documentation you need to supply and phone calls you have to make and receive. It all takes so long and is so ridiculously token gesture-like, that I can't imagine it prevents actual fraud very often, not that it's a fraud vector that I expect is ever used in the first place. People just click through the installation of unsigned apps anyway. Shrug.
from ioq3.
I fully agree. This whole thing, use obsolete software and services, needing to use very specific browsers, waiting for them to respond to problems – that pretty much every single person must experience – with no solutions, being forwarded, having all these documents at hand, sending them several times, and again, having to sign up with certain things I don't want to sign up (like Google Business, or shady "business directories") to be verified as a company (when really I am already verified in 20 other ways, legally), then needing to install Skype again because they require it to have a face to face talk with them, sign a paper, and hold it in the camera, all seems like a huge joke, and I'm sure they are aware of it.
So how does that help making it safer for the user to not accidentally install bad software? It doesn't. And you're right, they just click through unsigned apps anyways. Especially when unsigned apps look exactly the same as signed apps.
I'll second the shrug here ;)
from ioq3.
Microsoft calls it Authenticode:
https://msdn.microsoft.com/en-us/library/windows/desktop/ee416211.aspx
The documentation has instructions for incorporating the signing process into a build system. Essentially signtool
would have to be run by Jenkins as part of the build process in order for the test builds to be code signed.
from ioq3.
The hard part is getting a code certificate really. You need to be a legal entity in order to qualify for one. Also, they cost a couple of hundred $ a year, or thereabouts.
from ioq3.
I've done work with Apple code signing before. I might be able to help with that, at least a bit.
The hard part, in my experience, is setting up infrastructure to reliably sign new Apple-OS builds. That definitely includes maintaining certificates, however, that pain can be alleviated a bit (but not 100%) through use of calendar software, and perhaps some docs (enough to guide people through it).
There's also the issue of designating private-key ownership and distribution, and making sure it doesn't get posted to unwanted places, like, say, Github.
from ioq3.
Even if you use a standard Code Signing certificate on Windows it'll show that message until several thousand people have downloaded your build. And that's for every new build you release. The goal here is to push you to buy an Extended Verification (EV) code signing certificate, which give you certain, errm, advantages. That, of course, they can shove up theirs.
Don't even bother, save your sanity.
from ioq3.
Related Issues (20)
- OpenGL2: Dlight behavior close to surface HOT 1
- Unknown blend mode 'gl_src_color' leads to black menu screen with the PadMod HOT 3
- opengl1: Add software gamma ramps / overbright
- OpenGL2: Lightmap as an environment map renders incorrect with r_mergeLightmaps 1 HOT 1
- OpenGL2: r_ext_multisample > 0 breaks r_drawSunRays 1 (without HDR or FB-MSAA) HOT 1
- OpenGL2: Flares in mirrors calculate wrong depth and have wrong visibility
- Failing to open x64 game in a path with special characters HOT 3
- OpenGL2: The game is too bright and auto-exposure doesn't match the original
- OpenGL2: Curved surfaces don't use dynamic level of detail
- OpenGL2: Stencil shadow volumes are broken (cg_shadows 2) HOT 1
- OpenGL2: r_shownormals 1 is not implemented
- [Warning] Area 51 (2005) HOT 1
- rendering improvements feedback
- OpenGL2: r_greyscale doesn't affect everything
- OpenGL2: r_anaglyphMode causes 2D and HUD models to be transparent
- opengl1: Skybox in OpenGL 1.1 displays black lines at edges
- Add OpenGLES2 renderer HOT 1
- Add pk3 file caching to emscripten port
- Make emscripten port default to 85 FPS, non-V-sync HOT 1
- cgame project is not used HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ioq3.