Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Code Signing on Windows and macOS #203
Modern operating systems that are protective of their user's data present error messages when our binaries are executed because we don't sign our code. This sucks for our users because they experience extreme friction that prevents them from playing Quake 3 and games based on Quake 3, and it will only get worse for applications that don't sign over time as new operating systems make it more difficult to workaround this security measure and run unsigned code. We should probably fix it on our end, though I would guess you can't do that entirely in public on github because you'd be including our keys for whatever signing authority, perhaps we could at least include some pieces of scaffolding for a future release to sign executables?
In some magical ideal world our test builds from Jenkins would even be code signed.
Apple has documentation for macOS here:
Which has very easy to read language to explain the situation:
I'm not immediately finding a good starting point for Windows' code signing, they probably have some marketing name I'm not immediately aware of, will look again when I get a chance.
Microsoft calls it Authenticode:
The documentation has instructions for incorporating the signing process into a build system. Essentially
Certum used to offer free certificates for open source projects. Unfortunately, they do not do it anymore but their current offer sounds good too.
referenced this issue
Feb 4, 2018
I've done work with Apple code signing before. I might be able to help with that, at least a bit.
The hard part, in my experience, is setting up infrastructure to reliably sign new Apple-OS builds. That definitely includes maintaining certificates, however, that pain can be alleviated a bit (but not 100%) through use of calendar software, and perhaps some docs (enough to guide people through it).
There's also the issue of designating private-key ownership and distribution, and making sure it doesn't get posted to unwanted places, like, say, Github.