WindowsSpyBlocker
WindowsSpyBlocker copied to clipboard
Consider signing the release
Subj. As the side-effect, should help with the false positives on VirusTotal.
It was discussed here. Since the cost of a software certificate to sign an app is expensive and I'm a one-man-army on this project, it will stay as it is for now. I could reconsider that if I get enough donations :gift:
Fair point, let's take a look at the options:
- Digicert "Friends & Family" - USD 74$ per year, not sure if they include hardware token in this price.
- Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.
From the above, Certum looks more advantageous. Thoughts?
Digicert "Friend & Family" - USD 74$ per year, not sure if they include hardware token in this price.
That looks ok for me. I can use Microsoft Authenticode (digital certificates) and so signtool.
Certum "Open source" - EUR 69€ and they ship smart-card with the reader to you. Most likely to attract EU VAT. Renewal is only 25€ though.
Certum requires a physical hardware device and I don’t want to be the only one who can release the app. I prefer to be able to sign code with Microsoft Authenticode through signtool and use it on TravisCI.
I don’t want to be the only one who can release the app
Could you elaborate why? I would imagine the opposite to be true.
Could you elaborate why? I would imagine the opposite to be true.
It's more about to be able to automate the build process (and so code signing) through TravisCI while making a release. If I add permission to someone (member scope) on GitHub he will be able to produce a signed release and so do not need a physical hardware device.
:money_with_wings:
Thanks a lot for your donation @asvc :heart:
As free solution you can sign your binary with your GPG key, provide the key details (ID + fingerprint) with the public key and that's it. Then we can verify it's really from you.
As source for the public key you can upload it on your github rep + use keys.openpgp.org so get a mirror and also a second place to verify the key and protect it against manipulation on a single point of failure
If you then add checksums, like SHA512, then we also can verify that the file isn't changed in it's integrity or if the download is somehow corrupt