> Continuing a lilypond-user discussion on code signing for LilyPond
executables, in hopes of pacifying security software.
On 16/11/2022 7:55 am, Karlin High wrote:
On 11/15/2022 2:30 PM, Jonas Hahnfeld via Discussions on LilyPond
development wrote:
b) whether we would need to buy a certificate for that.
I think the answer is "yes, need to buy certificate."
And even that is no guarantee of executables not getting flagged after
downloads, UNLESS there is a large and powerful outfit behind the
signature that the security companies wish to avoid angering.
<http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/>
If a certificate WAS pursed, with macOS having the greatest need I
expect, it looks like it would need contact info and a mailing
address. That is where I stopped research, having no idea what would
be used there.
On 11/15/2022 5:40 PM, Andrew Bernard wrote:
I have never had a Windows app certified, but I don't think there is any
cost associated with it, it's just a process at Microsoft. This sort of
signing in not a TLS certificate possibly involving cost (though most
people use Let's Encrypt now).
This is a page from Microsoft. I think it's outdated but the principles
would remain roughly the same.
https://learn.microsoft.com/en-us/windows/win32/win_cert/windows-certification-portal
If there is any interest I'd be happy to investigate this more
seriously. perhaps this should be on the devel list?
Andrew
A code signing certificate is not the same thing as a TLS certificate.
Perhaps the difference would mostly be marketing and the nature of
assurance assertions from the provider.
Step 3 at the windows-certification-portal link includes "Get a code
signing certificate."
That leads to this page with 7 different options for certificate providers:
<https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage>
I am seeing annual prices from 129 to over 500 USD. Depending on what
options are included, such as Extended Validation certificates and
Hardware Security Modules for protecting the signing.
I am dim on what Extended Validation all involves. But I have in mind it
includes verifying that the entity buying the certificate has a
legitimate existence. For LilyPond, that entity would be... the main
developer listed in GNU projects? The Free Software Foundation?
Something else?
Maybe skip Extended Validation then.
But then some providers list "Immediate reputation with Microsoft
SmartScreen Filter" as a selling point for Extended Validation.
Which I guess would fall back to having new executables still getting
flagged, and having someone immediately respond with a request to have
the fresh EXE file marked as trusted. The times I've done this to aid
small developers I trust who have just published new code, Microsoft
goes through a routine of "Who are you, anyway? Are you the publisher?"
I guess trying to make sure I am not a malware distributor trying to get
their latest evil scheme pre-approved with security software somehow.
Those very cautious could just wait a week or two for all that to settle
before downloading and running. Eventually security software catches on.
For Apple's macOS world, things are far different yet. Possible starting
point:
<https://developer.apple.com/support/certificates/>
--
Karlin High
Missouri, USA
