Forum > Other

Any reuptable free code-signing certificate authorities?

(1/2) > >>

Gizmo:
Apologies if this has been raised before (quick search showed mostly OSX related talk).

I would like to ship code-signed copies of my program. A few years back I did layout for a certificate from DigiCert, and I asked for £1.99 for each download of the code signed exe, and although I recouped the £200, just, it didn't feel right. And the following year, the price doubled, to nearly £400. As the program was intended to be distributed for free, I stopped using it and resorted to shipping unsigned exe.

I'm aware you can generate self-signed certificates using Kleopatra, but although that does sign it, it does not do so sufficiently for the OS (Windows) to treat it any differently from a trust perspective. AFAIK.

Lets Encrypt only do SSL certificates. And SigStore (which looks very promising https://www.linuxfoundation.org/en/press-release/linux-foundation-announces-free-sigstore-signing-service-to-confirm-origin-and-authenticity-of-software/) by the Linux Foundation is not available yet (https://github.com/sigstore/sigstore). But I am watching that space.

The question is : is there a "currently available way" of code-signing a release of our open source programs with no cost to us, as the developers? If not, how many of you distribute your projects as signed vs unsigned? Thanks

Marc:
For the Lazarus ide itself we have been thinking about https://shop.certum.eu/open-source-code-signing-code.html

Not free, but cheaper than others

Marc

Gizmo:
Thanks Marc. That is indeed something worth looking at. £35 for the card and £25 for the cert is a lot more affordable than the £400ish I was having to pay for Digicert I'll keep it in focus for my next release, if SigStore is is still in dev and not released by then.

Thank you .

dbannon:

--- Quote from: Gizmo on May 25, 2021, 03:41:38 pm ---...... If not, how many of you distribute your projects as signed vs unsigned? Thanks

--- End quote ---

I don't sign the windows version of my app, just warn people that they will be told its risky.
I use a self signed cert to sign the RPMs because SUSE like that.
Even my MacOS ireleases are unsigned and I see a number of downloads.
Overall, I have not yet ever had an end user complain about lack of appropriate signing. Maybe that is because I mention it and they think I consider he matter 'closed', maybe my users consider themselves capable of making their own decisions.

Generally, if there was a free certificate available, I guess the bad guys would use it too.  In fact, there is probaly quite a lot to be made out of dodgy software, I am surprised the bad guys don't spend the $400 just so people trust them.

Davo

Gizmo:
All valid stuff. And I have followed largely the same approach.

My problem is that a lot of my users enjoy the functionality of the program and would like to use it in more corporate settings. But often due to IT rules in the workplace, the lack of code-signing seems to be a barrier to adoption in some areas. So its not always a matter of making their own choices. It is sometimes a matter of trying to comply with business IT rules I think to ensure that software running on a system can have its roots back to a developer\vendor verified. 

Navigation

[0] Message Index

[#] Next page

Go to full version