wincompose
wincompose copied to clipboard
samhocevar
Sign installers
Since Windows complains about unknown publishers and SmartScreen even tried to scare me off from installing the file, it would be nice™ to have a signed installer.
Big downside: you'd need a code signing certificate recognized by Windows. Possible upside: if you nag users to install CACert, it would maybe work with their certificates.
- Microsoft signing documentation
- Vendor recommendations (the link on the first page doesn't work due to a redesign, of course)
I would like to do that but the price seemed prohibitive. For future reference, I have compiled a list of the certificate sellers recommended by Microsoft.
The “EV” versions immediately get rid of the SmartScreen filter warning message; otherwise, applications have to build their reputation (signed programs may inherit the reputation of your digital certificate).
| Seller | OV: 1 yr | 2 yrs | 3 yrs | EV: 1 yr | 2 yrs | 3 yrs |
|---|---|---|---|---|---|---|
| Sectigo | $100 | $90/yr | $80/yr | $350 | $306/yr | $290/yr |
| Certum | €140 | €120/yr | €110/yr | €360 | €285/yr | €270/yr |
| GlobalSign | $290 | $230/yr | $200/yr | $410 | $380/yr | $320/yr |
| Comodo/InstantSSL | $180 | $170/yr | $165/yr | $400 | $350/yr | $300/yr |
| Symantec | $500 | $435/yr | $415/yr | - | - | - |
| Digicert/Thawte | $500 | $470/yr | $470/yr | $700 | $664/yr | $664/yr |
| Entrust | - | - | - | - | - | - |
There is also a Certum OpenSource certificate at €28 but it only works with their €58 crypto card and has generally bad customer reviews (see comments).
I see the Playnite project had the same problem and they opted for a Certum certificate.
OK so I have set up a donation page on Paypal and if one day enough users contribute, I shall buy a certificate.
Having just chipped in, it looks like there's enough in the pool at this point for at least two years. Any update on plans?
Getting a signed installer seems like a great idea.
About how many years of certification are we shooting for here? It looks like there's €786.00 raised as of 08/29/2020.
Hmmm - maybe I should have looked harder at dates before contributing? @samhocevar how about an update? Perhaps the certum opensource option has improved? Since in the meantime, MS bought GitHub, maybe this whole issue will eventually go away for GitHub hosted (and toolchain built?) OS Windows projects…
FWIW, it seems like we're at about 250$/a, cf. https://aboutssl.org/cheap-ev-code-signing-certificate-providers/
I'm willing to chip in, but at this point I need to see some action from @samhocevar on this issue beforehand.
I'm on the same boat as @sharpjs . At the latest published price of $240, the existing pool of $1019 is enough for 4 years and we could even push it to $1200 to be able to acquire a 5th year. But the same.
BTW it is the first time that I can access the donation page: https://www.paypal.com/pools/c/84ZrdNjDMQ I had been tried to reach it since last year (to donate) and it always kicked me out because I'm not located in the United States. I wonder how high could have been the pool without that restriction. Thanks for removing it!
Update - The donation page is blocked for me again.
@samhocevar In case you are not aware, PayPal is going to retire the Money Pools service on 8 Nov 2021. There is a large banner at the top of the donation page, with a link to https://www.paypal.com/us/webapps/mpp/ua/moneypool-tnc for more details.
As an aside, https://github.com/sigstore is trying to be Let's Encrypt but for code signing. It's still in the too-early-for-functional-adoption stage on Windows, but possibly worth investigating.
Another option to consider is SignPath, which provides free code signing for open source projects. They only support AppVeyor builds at the moment though. I'm using SignPath to provide signed installers for Tiled, and it seems Playnite has also transitioned to them.
PayPal Money Pools is now discontinued
The PayPal Money Pools feature has been discontinued. The balance in the WinCompose donation pool has been transferred to @samhocevar's main PayPal account. (Based on this source.)
The donation link is now broken
The WinCompose donation URL now leads to a PayPal error page which no longer allows donations.
≥$1019 has been raised so far
Based on the comments above, the money raised so far is enough to buy a certificate which will last several years. If Sam wants, though, he can raise more money and can buy an even longer-lasting certificate.
I theorize that Sam might be busy with his job, other open-source contribution work, and/or various real-life obligations. Let's wait until Sam has more free time, and can push this issue forwards.
Sam, please consider also accepting personal donations
@samhocevar: Please also consider creating a new donation link, for donations of money intended for your own personal use. If you create such a link, people can donate money to thank you for the time and effort which you've put into the project. It's not guaranteed that people will donate money to this cause, but it's very possible.
For those of us on corpo Windows machines, typical "anti-" malware policies require signing, thus it's not just a scary message but WinCompose not working at all. While this machine is just for Lookout/Powerpoint, it's hard to live without being able to type characters you can on a non-toy OS.
Thus: any news? There's was over $1k collected, and that SignPath thingy would be $0, thus you can get either several years of the paid cert or ∞ years of mucking with AppVeyor...
