<div dir="ltr">Hi,<div><br></div><div>Responding to several comments here:</div><div><br></div><div>On Thu, Oct 1, 2015 at 1:51 AM, Tim Sutton wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">On Thu, Oct 1, 2015 at 1:23 AM, Richard Duivenvoorde wrote: </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><blockquote type="cite">I was just wondering if buying a 'sign all OS packages' would be<br>cheaper in the long run (as I predict that Windows will have the same<br>stuff later on...).<br><br>But let's stick for an Apple cert for now then!<br><br>So who is going to buy that one (as <a href="http://qgis.org/" target="_blank">qgis.org</a> project) then?<br>Larry, or should I or Andreas do that?<br></blockquote><div><br></div></span><div>My vote would be for <a href="http://qgis.org/" target="_blank">QGIS.org</a> to buy it and pass it along to Larry and William to use to sign the packages they build.</div></blockquote></div><div><br></div><div class="gmail_extra">Agreed. It would be wise for the project manage this aspect, instead of relying upon a particular packager for this.</div><div class="gmail_extra"><br></div><div class="gmail_extra">My two cents: it would be better to have a single 'sign all OS packages' code-signing cert, which Apple supports in it tools and client [0, first note], though obviously not cheaper. This would also allow signing at least the standalone NSIS installer for windows (though it is a bit tricky to sign the uninstaller, as that is created upon install; there's a workaround, though).</div><div class="gmail_extra"><br></div><div class="gmail_extra">With Apple there is a distinction between an application cert and package installer cert. Would need to investigate whether a third-party cert (like from VeriSign) would work for both Apple-types of certs.</div><div class="gmail_extra"><br></div><div class="gmail_extra">On Thu, Oct 1, 2015 at 1:23 AM, Richard Duivenvoorde wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">><br>> I think the situation is the same as for windows users, and we<br>> should just use the same donation hint and approach / wording. It<br>> will be interesting to know how many OS X downloads there are in<br>> the course of this too...<br><br></span>I will write to both Larry and William if they can maybe upload their<br>packages to the download server.</blockquote></div><div class="gmail_extra"><br></div><div class="gmail_extra">Fine by me. Just need access to the download server and my SSH pub key added to authorized_keys so I can script the upload. Or, whatever works.</div><div class="gmail_extra"><br></div><div class="gmail_extra">On Thu, Oct 1, 2015 at 1:55 AM, Sandro Santilli <span dir="ltr"><<a href="mailto:strk@keybit.net" target="_blank">strk@keybit.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div id=":qo" class="" style="overflow:hidden">Unless the other one is not being paied already.<br>I'm not familiar with "code-signing" certificates, how are they<br>different from "key-signing" certificates used for SSL ?<br>Are there different root certificates ? Can you sign a windows driver,<br>an Apple application and an HTTPS key with the same certificate ?<br></div></blockquote><div><br></div><div>The certificate, trust chain and issuer signing setup are the same for all those certs, but for code signing the cert has extended usage flags to indicate it can be used for that purpose [1, 2], which is part of what is verified on the client OS side:</div><br>extendedKeyUsage = critical,codeSigning<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div id=":qo" class="" style="overflow:hidden">/me feels like Italy burocracy was exported to the outside world (scary).</div></blockquote></div><div class="gmail_extra"><br></div><div class="gmail_extra">Yes it is a total scam that in the 'web of trust' game you eventually have to *pay* someone to vouch for you! I hope your government isn't that crazy. :-)</div><div class="gmail_extra"><br></div><div class="gmail_extra">If I could find a reasonable way to do this for free, I would certainly recommend that method. I don't like the idea of paying Apple, Microsoft, VeriSign or anyone else just for their seal of approval. But alas, this is how the client OS setup is for hundreds upon hundreds of thousands of QGIS users.</div><div class="gmail_extra"><br></div><div class="gmail_extra">[0] <a href="https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW2">https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW2</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">[1] <a href="https://en.wikipedia.org/wiki/Code_signing">https://en.wikipedia.org/wiki/Code_signing</a></div><div class="gmail_extra">[2] <a href="http://pki-tutorial.readthedocs.org/en/latest/advanced/codesign.conf.html">http://pki-tutorial.readthedocs.org/en/latest/advanced/codesign.conf.html</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">Regards,<br><div><div class="gmail_signature"><br>Larry Shaffer<br>Dakota Cartography<br>Black Hills, South Dakota</div></div>
<br><div class="gmail_quote">On Thu, Oct 1, 2015 at 2:01 AM, Richard Duivenvoorde <span dir="ltr"><<a href="mailto:richard@duif.net" target="_blank">richard@duif.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On 01-10-15 09:55, Sandro Santilli wrote:<br>
<br>
>> Ok - so the Apple cert is still cheaper then.<br>
><br>
> Unless the other one is not being paied already.<br>
> I'm not familiar with "code-signing" certificates, how are they<br>
> different from "key-signing" certificates used for SSL ?<br>
> Are there different root certificates ? Can you sign a windows driver,<br>
> an Apple application and an HTTPS key with the same certificate ?<br>
<br>
</span>Sandro see<br>
<br>
<a href="https://lists.osgeo.org/pipermail/qgis-psc/2015-September/003274.html" rel="noreferrer" target="_blank">https://lists.osgeo.org/pipermail/qgis-psc/2015-September/003274.html</a><br>
<br>
I asked and yes, they are 'different' (main diff is that the one we have<br>
is free and the other not :-) )<br>
<br>
Regards,<br>
<br>
Richard Duivenvoorde<br>
<div class=""><div class="h5"><br>
_______________________________________________<br>
Qgis-psc mailing list<br>
<a href="mailto:Qgis-psc@lists.osgeo.org">Qgis-psc@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/qgis-psc" rel="noreferrer" target="_blank">http://lists.osgeo.org/mailman/listinfo/qgis-psc</a><br>
</div></div></blockquote></div><br></div></div>