qBittorrent icon indicating copy to clipboard operation
qBittorrent copied to clipboard

Published 20 hours ago verified publisher icon qbittorrent

Sign the EXE files for trust

Open hichemfantar opened this issue 2 years ago • 6 comments

Suggestion

Installer EXE files should be properly signed for better trust of the packages on the website.

Use case

Guarantee that the distributed binaries are generated by a trusted party.

Extra info/examples/attachments

The proper instructions are available here.

hichemfantar avatar Nov 17 '22 10:11 hichemfantar

https://github.com/qbittorrent/qBittorrent/issues/18022#issuecomment-1315056483

qBittorrent's installer/EXE is not signed. I think that's a requirement. It is extremely expensive and tedious to do so. (last time I checked)

stalkerok avatar Nov 17 '22 11:11 stalkerok

Ugh this has been mentioned so many times. Let me just find a few existing tickets about it. I even mentioned why it's not signed. It's not trivial, it's expensive to do so (you need a software cert) and it's a tedious process.

Balls0fSteel avatar Nov 17 '22 12:11 Balls0fSteel

https://github.com/qbittorrent/qBittorrent/issues/1376

I mentioned a few prices and links in there back then.

Balls0fSteel avatar Nov 17 '22 12:11 Balls0fSteel

Code signing is indeed becoming more and more important for trust in binary distribution, especially for software installed system-wide with elevated privileges.

Cost was an issue for FLOSS software but things have changed since 2014. There is now initiatives to provide code signing to open source project for free, such as SignPath:

  • https://signpath.org/
  • https://about.signpath.io/product/open-source

Vim or Transmission installers are signed this way.

c0bw3b avatar Feb 19 '23 17:02 c0bw3b

MSIX packages can be signed for free when published to microsoft store for example https://www.advancedinstaller.com/msix-digital-signing.html

soredake avatar May 10 '23 16:05 soredake

Close this as a dupe

luzpaz avatar May 14 '23 13:05 luzpaz