Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Signing on Windows and macOS #203

Open
NuclearMonster opened this issue Aug 8, 2016 · 10 comments
Open

Code Signing on Windows and macOS #203

NuclearMonster opened this issue Aug 8, 2016 · 10 comments

Comments

@NuclearMonster
Copy link
Member

@NuclearMonster NuclearMonster commented Aug 8, 2016

Modern operating systems that are protective of their user's data present error messages when our binaries are executed because we don't sign our code. This sucks for our users because they experience extreme friction that prevents them from playing Quake 3 and games based on Quake 3, and it will only get worse for applications that don't sign over time as new operating systems make it more difficult to workaround this security measure and run unsigned code. We should probably fix it on our end, though I would guess you can't do that entirely in public on github because you'd be including our keys for whatever signing authority, perhaps we could at least include some pieces of scaffolding for a future release to sign executables?

In some magical ideal world our test builds from Jenkins would even be code signed.

Apple has documentation for macOS here:
https://developer.apple.com/library/prerelease/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

Which has very easy to read language to explain the situation:

Code signing is a security technology, used in OS X, that allows you to certify that an app was created by you. Once an app is signed, the system can detect any change to the app—whether the change is introduced accidentally or by malicious code.

I'm not immediately finding a good starting point for Windows' code signing, they probably have some marketing name I'm not immediately aware of, will look again when I get a chance.

@maxcrofts
Copy link

@maxcrofts maxcrofts commented Apr 8, 2017

Microsoft calls it Authenticode:
https://msdn.microsoft.com/en-us/library/windows/desktop/ee416211.aspx

The documentation has instructions for incorporating the signing process into a build system. Essentially signtool would have to be run by Jenkins as part of the build process in order for the test builds to be code signed.

@timangus
Copy link
Member

@timangus timangus commented Apr 8, 2017

The hard part is getting a code certificate really. You need to be a legal entity in order to qualify for one. Also, they cost a couple of hundred $ a year, or thereabouts.

@adanski
Copy link

@adanski adanski commented Apr 8, 2017

Certum used to offer free certificates for open source projects. Unfortunately, they do not do it anymore but their current offer sounds good too.

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

@DavidLudwig
Copy link

@DavidLudwig DavidLudwig commented Feb 4, 2018

I've done work with Apple code signing before. I might be able to help with that, at least a bit.

The hard part, in my experience, is setting up infrastructure to reliably sign new Apple-OS builds. That definitely includes maintaining certificates, however, that pain can be alleviated a bit (but not 100%) through use of calendar software, and perhaps some docs (enough to guide people through it).

There's also the issue of designating private-key ownership and distribution, and making sure it doesn't get posted to unwanted places, like, say, Github.

@NuclearMonster
Copy link
Member Author

@NuclearMonster NuclearMonster commented Jun 8, 2021

Big update for notarization on Macs in this Twitter thread:
https://twitter.com/rosyna/status/1402065462641364997

@liqube
Copy link

@liqube liqube commented Jul 7, 2021

Even if you use a standard Code Signing certificate on Windows it'll show that message until several thousand people have downloaded your build. And that's for every new build you release. The goal here is to push you to buy an Extended Verification (EV) code signing certificate, which give you certain, errm, advantages. That, of course, they can shove up theirs.

Don't even bother, save your sanity.

@timangus
Copy link
Member

@timangus timangus commented Jul 8, 2021

It isn't as many as thousands, for what it's worth. Even on a small project it only takes a small amount of time for that to go away. Also it's not every build, only when the certificate is new. I'm with you though in general though, code signing is basically extortion. There is no reason for it to be (relatively speaking) so expensive.

@liqube
Copy link

@liqube liqube commented Jul 8, 2021

Well at this point in time we're looking at about 700 USD per year for EV, which is pretty much not doable for most small business, or at least start-up phases. Prices for non-EV have in the recent year tactically been raised quite a bit to make it look more inviting to "just pay these 200 USD extra".

About the "warnings", I wish I could say it's only when a certificate is new. I've had it for every new build, across 8 years time, with different issuer certificates, from low-end to high-end. I never got to a point where I can just release a build because my certificate's been in use for 2 years. This is all a very opaque business, extortion as you said, so nobody really understands what triggers what, and why these things happen. After all it all drives us to buying EV in the hopes, and this is key - playing with hopes - the worst play there is, that we can just pay this and continue to focus on coding our thing here.

On the web we have movements like "Let's Encrypt" that helped a lot. Of course this one renews every month or so, which makes it semi-unsuitable as proof of origin. Here's me hoping that one day we'll have a similar thing for code signing, with focus shifting away from monetization of the people who produce software that keeps a platform alive towards offering these people an incentive of producing software, and offering the users who download the software improved and strict proof of origin.

I have to point to Kevin Burton's excellent summary of the topic here:
https://www.youtube.com/watch?v=mwuk0E-tfeg

@timangus
Copy link
Member

@timangus timangus commented Jul 8, 2021

Hmm well, that's not my experience. I've used a bunch of CAs over the years and it usually only takes a week or so for the "people don't download this much" warning to go away after a certificate is issued, on relatively low traffic projects. I certainly have never seen it again after it goes away, i.e. after doing new builds. I'll have a watch of your youtube dude when I get a chance... My biggest gripe with code signing (besides the extortionate costs) is all the documentation you need to supply and phone calls you have to make and receive. It all takes so long and is so ridiculously token gesture-like, that I can't imagine it prevents actual fraud very often, not that it's a fraud vector that I expect is ever used in the first place. People just click through the installation of unsigned apps anyway. Shrug.

@liqube
Copy link

@liqube liqube commented Jul 8, 2021

I fully agree. This whole thing, use obsolete software and services, needing to use very specific browsers, waiting for them to respond to problems – that pretty much every single person must experience – with no solutions, being forwarded, having all these documents at hand, sending them several times, and again, having to sign up with certain things I don't want to sign up (like Google Business, or shady "business directories") to be verified as a company (when really I am already verified in 20 other ways, legally), then needing to install Skype again because they require it to have a face to face talk with them, sign a paper, and hold it in the camera, all seems like a huge joke, and I'm sure they are aware of it.

So how does that help making it safer for the user to not accidentally install bad software? It doesn't. And you're right, they just click through unsigned apps anyways. Especially when unsigned apps look exactly the same as signed apps.

I'll second the shrug here ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants