WindowsSpyBlocker icon indicating copy to clipboard operation
WindowsSpyBlocker copied to clipboard

Published 20 hours ago verified publisher icon crazy-max

Consider signing the release

Open savchenko opened this issue 4 years ago • 8 comments

Subj. As the side-effect, should help with the false positives on VirusTotal.

savchenko avatar Aug 04 '19 15:08 savchenko

It was discussed here. Since the cost of a software certificate to sign an app is expensive and I'm a one-man-army on this project, it will stay as it is for now. I could reconsider that if I get enough donations :gift:

crazy-max avatar Aug 04 '19 15:08 crazy-max

Fair point, let's take a look at the options:

  • Digicert "Friends & Family" - USD 74$ per year, not sure if they include hardware token in this price.
  • Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.

From the above, Certum looks more advantageous. Thoughts?

savchenko avatar Aug 05 '19 08:08 savchenko

Digicert "Friend & Family" - USD 74$ per year, not sure if they include hardware token in this price.

That looks ok for me. I can use Microsoft Authenticode (digital certificates) and so signtool.

Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.

Certum requires a physical hardware device and I don’t want to be the only one who can release the app. I prefer to be able to sign code with Microsoft Authenticode through signtool and use it on TravisCI.

crazy-max avatar Aug 05 '19 09:08 crazy-max

I don’t want to be the only one who can release the app

Could you elaborate why? I would imagine the opposite to be true.

savchenko avatar Aug 05 '19 09:08 savchenko

Could you elaborate why? I would imagine the opposite to be true.

It's more about to be able to automate the build process (and so code signing) through TravisCI while making a release. If I add permission to someone (member scope) on GitHub he will be able to produce a signed release and so do not need a physical hardware device.

crazy-max avatar Aug 05 '19 09:08 crazy-max

:money_with_wings:

savchenko avatar Aug 05 '19 10:08 savchenko

Thanks a lot for your donation @asvc :heart:

crazy-max avatar Aug 05 '19 12:08 crazy-max

As free solution you can sign your binary with your GPG key, provide the key details (ID + fingerprint) with the public key and that's it. Then we can verify it's really from you.

As source for the public key you can upload it on your github rep + use keys.openpgp.org so get a mirror and also a second place to verify the key and protect it against manipulation on a single point of failure

If you then add checksums, like SHA512, then we also can verify that the file isn't changed in it's integrity or if the download is somehow corrupt

beerisgood avatar Dec 13 '19 08:12 beerisgood