-
-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed binaries #149
Comments
hmm, this would make the project a bit depending on the person that owns the priv-key (annejan does a great job, but isn't this somehow against the idea of "free software"). Do the "big" Open Source projects (OpenOffice, Firefox, ...) have signed installers? Who has access in that case? Does the certificate produce continuous costs? |
I don't think they do provide any benefits compared to a good hash, but I do think it's a good idea to discuss this. The reason I was asked (IRL) wether we (IJhack) can provide signed binaries is that for their corporate environment to be able to adopt QtPass they'll need to have signed binaries. Providing GPG signed binaries like some distro's do might be an idea too, but that won't stop windows defender (or whatever that checkbox, yes I'm really really sure mechanism is called) from nagging. I also don't see it as depending the project on that key, since it's just a bit of convenience for the end-users. |
Hmm Ok, I get the Point about the corporate usage. I'm not against signed installers, I just wanted to ask ;-) |
A short web research gives the following Stack Overflow site: |
And I don't know how windows handles unknown CAs in installers |
Unfortunately letsencrypt only does domain validation certificates, not organisation validation ones that are needed for binary signing. QtPass.org uses Let's Encrypt for it's certificate ssllabs analysis. |
Maybe this is interesting: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml |
For now this issue is closed, I know all I need to know and might in the future pay some protection-money to not have end-users be harassed, but for now I've decided not to give into bribes. |
Do we want / need signed installers / executables for Windows (and OSX?)
A) Find out how to do that (via MS or via some CA?)
B) Figure out how to do this via the CI system (without exposing priv-key)
Related / supersedes #138
The text was updated successfully, but these errors were encountered: