-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EV Certificate signing #84
Comments
Greetings @deajan , I'm currently upgrading build automation, and one thing I'd like to do is automate executable signing with a certificate from Microsoft that should enable us to submit crash reports directly to their error handling facilities. Thank you for your offer of a certificate - please stay tuned and hopefully we'll have some signed builds. |
Hmm...
AFAIK Microsoft does not distribute free certs, am I right ? |
Sorry for not being clear before- I'm looking into joining the Microsoft Partner program (free, I hope), and subsequently the Windows Desktop Application program. My thinking is that this allows WinNUT to send telemetry and crash events back to Microsoft so I'll be able to review and identify fixes more quickly. My understanding is that this program also provides a certificate to sign the executable, so I'm hoping that that takes care of this. Please let me know if I'm misunderstanding something! |
AFAIK, confirmed by your link, you're supposed to have your own code signing certificate. That being said, there are OV (cheap) and EV (expensive) certificates, which provide different levels of trust for Authenticode. |
Apparently I need to look into this more! I've got a laundry list of things ahead of me right now - first is getting build automation up and running, then addressing a few bugs people are experiencing. I'd like to look at this soon, though. I'll come back to this ticket, and hope I can keep your offer on hand. Thank you! |
No problem, but keep in mind that I only can offer to sign the builds for you, as EV certificates come with hardware private keys, non shareable. Keep me posted. |
Hi @deajan , I'm moving further along with setting up CI/CD, and wanted to come back to you for more details on your offer. Would you mind describing how this signing process would work? I'd like to have everything isolated to the build environment so signing would happen there if at all possible. |
Hi, Well the thing with EV certificates is that you can't sign executables without having the actual hardware token, which is unique. For your CI, you could use a test code signing certificate, and sign with |
I'm really on the fence about this, because having signed code is important for guaranteeing authenticity. WinNUT has historically been built on developers' systems, and for the sake of security (and authenticity, in some way), I've been putting a lot of work into getting the CD system up and running. I feel at least in that way, users can verify the source code directly against the software they download from us. Keeping everything in the domain of GitHub has been an important aspect, and I'm not sure I feel comfortable putting anything in between that, including myself. In between bouts of writing YAML files and pushing/deleting/amending commits (sigh...), I've tried to do some more research into the concept of code signing. I came across a project called sigstore. My research is once again preliminary, but from my understanding, they're establishing an open-source chain of trust which seems like an ideal fit for an organization like NUTDotNet. Assuming I still haven't quite grasped all of this though, then what I may end up doing is just self-signing a certificate, throwing the secret into the project or organization, and committing the public cert directly to the repository. It'll be an ask, I think, for people to install/trust the certificate. But hopefully people would consider accepting that. I find myself getting distracted now on upgrading our update routine in WinNUT, so it'll be some time before I'm seriously looking at signing again. I just want to emphasize how much I appreciate you offering to do this and keeping the offer available. |
Unless your CI is local, you won't be able to use your signing key (EV or OV since 3rd April) since it needs a physical USB token. Anyway, if someday you need to sign with an authenticode trusted certificate, I'll be around. |
Hello,
I am a WinNUT user for a couple of months now, thanks for the effort.
Just one thing, how about signing the executables and installer with a code signing certificate, so you don't get the Windows defender shield and other antivirus alerts ?
As open source developper myself, I do posses such a certificate, and could sign "general release" executables for you if needed.
The text was updated successfully, but these errors were encountered: