Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider signing the release #155

Open
savchenko opened this issue Aug 4, 2019 · 8 comments
Open

Consider signing the release #155

savchenko opened this issue Aug 4, 2019 · 8 comments
Labels
🙏 help wanted ✨ enhancement

Comments

@savchenko
Copy link

Subj. As the side-effect, should help with the false positives on VirusTotal.
@crazy-max
Copy link
Owner

It was discussed here. Since the cost of a software certificate to sign an app is expensive and I'm a one-man-army on this project, it will stay as it is for now.
I could reconsider that if I get enough donations 🎁

@savchenko
Copy link
Author

savchenko commented Aug 5, 2019
edited
Loading

Fair point, let's take a look at the options:

  • Digicert "Friends & Family" - USD 74$ per year, not sure if they include hardware token in this price.
  • Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.

From the above, Certum looks more advantageous. Thoughts?

@crazy-max
Copy link
Owner

Digicert "Friend & Family" - USD 74$ per year, not sure if they include hardware token in this price.

That looks ok for me. I can use Microsoft Authenticode (digital certificates) and so signtool.

Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.

Certum requires a physical hardware device and I don’t want to be the only one who can release the app. I prefer to be able to sign code with Microsoft Authenticode through signtool and use it on TravisCI.

@savchenko
Copy link
Author

I don’t want to be the only one who can release the app

Could you elaborate why? I would imagine the opposite to be true.

@crazy-max
Copy link
Owner

crazy-max commented Aug 5, 2019
edited
Loading

Could you elaborate why? I would imagine the opposite to be true.

It's more about to be able to automate the build process (and so code signing) through TravisCI while making a release.
If I add permission to someone (member scope) on GitHub he will be able to produce a signed release and so do not need a physical hardware device.

@savchenko
Copy link
Author

💸

@crazy-max
Copy link
Owner

Thanks a lot for your donation @asvc ❤️

@crazy-max crazy-max pinned this issue Aug 6, 2019
@savchenko savchenko mentioned this issue Oct 6, 2019
Open
@beerisgood
Copy link

As free solution you can sign your binary with your GPG key, provide the key details (ID + fingerprint) with the public key and that's it.
Then we can verify it's really from you.

As source for the public key you can upload it on your github rep + use keys.openpgp.org so get a mirror and also a second place to verify the key and protect it against manipulation on a single point of failure

If you then add checksums, like SHA512, then we also can verify that the file isn't changed in it's integrity or if the download is somehow corrupt

@savchenko savchenko mentioned this issue Jun 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🙏 help wanted ✨ enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@savchenko @crazy-max @beerisgood