[Zoo-discuss] [ZOO-PSC] EV Code Signing Certificate

Venkatesh Raghavan venka.osgeo at gmail.com
Fri May 27 06:54:08 PDT 2016 

Hi Gerald,

Yes, the SmartScreen warning comes up even when installing other
OSGeo.As you said, it any installer for Windows-10 to be
authenticated with EV level certificate. Currently we can ignore
the SmartScreen warning and run the installer but I heard that MicroSoft
is going make EV Level certification mandatory in due course.

This will be an issue for all OSGeo software providing Windows installer 
and the discussion on how to resolve this issue could
be taken up on OSGeo-discuss.

One option could be that OSGeo Foundation manages the EV level 
certification for all OSGeo projects.

I wonder if there are any other way and we could consider.

Best

Venka

On 2016/05/27 22:34, Fenoy Gerald wrote:
> Dear community, Dear PSC members, Dear Developers, this topic is of
> concern for everyone involved in ZOO-Project in any way.
>
> I come to you today with a trouble I feel unsafe to deal with as I
> already committed mistakes in the way to solve it … So it is better
> to come back to you for asking for some insights and to decide a way
> to go for solving it.
>
> To make the long story short, we have produced a software which is
> responsible to install the ZOO-Project on your Windows machine.
> Nevertheless, when you try to run this installer it leads the user to
> face a message mentioning that the application is not authorized to
> run and can damage your computer (not a very friendly message, isn’t
> it), in fact you can see that we were using a valid OV certificate
> (acquired for 'Geolabs SARL’ which was the only entity I can
> register, as I was not able to provide any official paper for the
> ZOO-Project) for code signing, still SmartScreen is complaining. So,
> I realized that I made a mistake in acquiring this certificate as
> Microsoft is now requiring the certificate to have the EV level.
>
> As you may notice, I have two different issue, the first one is that
> I cannot register anything else than my personal name or 'GeoLabs
> SARL’ (as it is my company so I can handle any request for the
> validation as in the case of personal account). So, for me this is
> can be only a temporary solution (let say to avoid this smart screen
> apparition any time the installer has been downloaded, which appear
> also for some other OSGeo softwares) because it is not the
> responsibility of 'GeoLabs SARL’ or me to sign the application as it
> is the result of collaborative work, so it should be shared with the
> community. Nevertheless, I don’t know how to handle this right now as
> we need some official paper to create the ceritifcate. Obviously,
> GeoLabs SARL can take this responsibility, it is just to say that I
> don’t understand why it have to do so.
>
> Still, I have another issue, I have identified a certification
> provider (it is quite easy to do so as Microsoft gave the privilege
> to 5 CA only to provide such an EV code signing ceritificate) but I
> wonder why 'GeoLabs SARL’ should be named as the *provider* of the
> ZOO-Project when it is not the case, I personally think that OSGeo
> should provide such a certificate. Nevertheless, in my opinion OSGeo
> should share this certificate only amongst the incubated software.
> Still there is no certificate like this available at the time we
> speak.
>
> So I would like to ask the PSC, the developers, and the community for
> input to discuss and decide a way to go for dealing with this issue
> of certification. I say one more time that GeoLabs SARL is open to
> handle this, but feel to not be the right entity to do so. Still
> using it may make the process a bit faster than any other and be used
> for a temporary solution (let say to sign the software for one year).
> Nevertheless, I don’t want that this can be considerate as a bad
> behavior from GeoLabs SARL to try to take the lead or anything like
> this.
>
> Ho, still there is another option, GeoLabs SARL create its own
> installer but I remove the download link from the ZOO-Project
> download repository on Bintray to avoid any misunderstanding.
>
> I hope my message was clear and I really expect inputs from you care
> I have to admit I am a bit lost in this.
>
> Best regards,
>
>
>
>
>
>
> Gérald Fenoy http://wiki.osgeo.org/wiki/User:Djay
>
> _______________________________________________ Zoo-psc mailing list
> Zoo-psc at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/zoo-psc
>

More information about the Zoo-discuss mailing list