New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signed binaries #149

Closed
annejan opened this Issue Jan 25, 2016 · 8 comments

Comments

Projects
None yet
2 participants
@annejan
Member

annejan commented Jan 25, 2016

Do we want / need signed installers / executables for Windows (and OSX?)

A) Find out how to do that (via MS or via some CA?)
B) Figure out how to do this via the CI system (without exposing priv-key)

Related / supersedes #138

@jounathaen

This comment has been minimized.

Member

jounathaen commented Jan 25, 2016

hmm, this would make the project a bit depending on the person that owns the priv-key (annejan does a great job, but isn't this somehow against the idea of "free software"). Do the "big" Open Source projects (OpenOffice, Firefox, ...) have signed installers? Who has access in that case? Does the certificate produce continuous costs?
On Windows, the Certificates are useful to prevent false warnings from Antivirus? Do they have other advantages (man in the middle downloads )?

@annejan

This comment has been minimized.

Member

annejan commented Jan 25, 2016

I don't think they do provide any benefits compared to a good hash, but I do think it's a good idea to discuss this.
It doesn't go against the idea of open source of free software as the source will still be available, nothing will change in that perspective.

The reason I was asked (IRL) wether we (IJhack) can provide signed binaries is that for their corporate environment to be able to adopt QtPass they'll need to have signed binaries.
There seem to be yearly fees involved, which I might get sponsored.
A side problem is that neither GPG nor git seem to come in a signed variant 😉
So yes, this seems to be a moot point currently, unless someone can convince us otherwise in this thread.

Providing GPG signed binaries like some distro's do might be an idea too, but that won't stop windows defender (or whatever that checkbox, yes I'm really really sure mechanism is called) from nagging.

I also don't see it as depending the project on that key, since it's just a bit of convenience for the end-users.
And yes, malicious use of such a key would quickly invalidate it (at-least, I'd hope for it to not be a complete sham) . .

@jounathaen

This comment has been minimized.

Member

jounathaen commented Jan 27, 2016

Hmm Ok, I get the Point about the corporate usage. I'm not against signed installers, I just wanted to ask ;-)
So, why not. But I personally have no Idea how :-D

@jounathaen

This comment has been minimized.

Member

jounathaen commented Jan 27, 2016

A short web research gives the following Stack Overflow site:
http://stackoverflow.com/questions/252226/signing-a-windows-exe-file
The certificate could maybe be the same as a Certificate for the IJHack site.
I've also heard about the let's encrypt Project, which gives certificates for free:
https://letsencrypt.org/
The disadvantage is, that https://letsencrypt.org ist nor a trusted authority in many browsers. (Although it gives a valid certificate that enables secure SSL browsing)

@jounathaen

This comment has been minimized.

Member

jounathaen commented Jan 27, 2016

And I don't know how windows handles unknown CAs in installers

@annejan

This comment has been minimized.

Member

annejan commented Jan 27, 2016

Unfortunately letsencrypt only does domain validation certificates, not organisation validation ones that are needed for binary signing.
But as far as I can tell a cheap Comodo cert should . .

QtPass.org uses Let's Encrypt for it's certificate ssllabs analysis.
Let's Encrypt is supported by all modern browsers and up-to-date operating systems.

@jounathaen

This comment has been minimized.

Member

jounathaen commented Jan 27, 2016

@annejan

This comment has been minimized.

Member

annejan commented Feb 5, 2016

For now this issue is closed, I know all I need to know and might in the future pay some protection-money to not have end-users be harassed, but for now I've decided not to give into bribes.

@annejan annejan closed this Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment