You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hmm, this would make the project a bit depending on the person that owns the priv-key (annejan does a great job, but isn't this somehow against the idea of "free software"). Do the "big" Open Source projects (OpenOffice, Firefox, ...) have signed installers? Who has access in that case? Does the certificate produce continuous costs?
On Windows, the Certificates are useful to prevent false warnings from Antivirus? Do they have other advantages (man in the middle downloads )?
I don't think they do provide any benefits compared to a good hash, but I do think it's a good idea to discuss this.
It doesn't go against the idea of open source of free software as the source will still be available, nothing will change in that perspective.
The reason I was asked (IRL) wether we (IJhack) can provide signed binaries is that for their corporate environment to be able to adopt QtPass they'll need to have signed binaries.
There seem to be yearly fees involved, which I might get sponsored.
A side problem is that neither GPG nor git seem to come in a signed variant 😉
So yes, this seems to be a moot point currently, unless someone can convince us otherwise in this thread.
Providing GPG signed binaries like some distro's do might be an idea too, but that won't stop windows defender (or whatever that checkbox, yes I'm really really sure mechanism is called) from nagging.
I also don't see it as depending the project on that key, since it's just a bit of convenience for the end-users.
And yes, malicious use of such a key would quickly invalidate it (at-least, I'd hope for it to not be a complete sham) . .