[SAC] so code signing

Jody Garnett jody.garnett at gmail.com
Tue Oct 25 13:58:03 PDT 2016 

Afternoon Michael,

The GeoServer project is now in position to make use of a certificate for
signing windows 10 applications (indeed the signing issue came up during
testing of our release candidate).

Can I ask that you purchase a certificate we can use on windows? Larry
provided https://www.digicert.com/code-signing/code-signing.htm and example
of a cost effective provider.

I think it would be appropriate to purchase this for 2-3 years?

If we purchase this on behalf of the GeoServer project (that has a tight
deadline) we can ask SAC to manage the certifcate (and carefully share it
with the QGIS and OSGeo4Win team.

Larry am I missing anything? Who is responsible for the QGIS community
windows releases?

Related tickets:
- https://trac.osgeo.org/osgeo/ticket/1813
- https://osgeo-org.atlassian.net/browse/GEOS-7812


--
Jody Garnett

On 27 May 2016 at 03:37, Michael Smith <michael.smith.erdc at gmail.com> wrote:

> All,
>
> OSGeo now has an Apple Developer Organization account. I can provide
> access to projects to get code signing certificates for OS X applications.
>
> OSGeo should do the same for Windows applications as well, whether through
> the the EV Signing certificate described below or some other route but it's
> now one of those infrastructure components that OSGeo should provide to
> projects (the question of full or incubated projects also needs to be
> discussed).
>
> Just let me know what you all think is the best route and I'll follow the
> steps to get a Windows signing certificate for OSGeo.
>
> Michael Smith
> OSGeo Treasurer
>
> > On May 27, 2016, at 6:21 AM, Fenoy Gerald <gerald.fenoy at geolabs.fr>
> wrote:
> >
> > Dear Jody, Dear all,
> > I have to say first that I know only a little about all this Code
> signing certificate but have learnt a bit later this week.
> >
> > When using Windows 10, which was not really my cup of tea, I have
> noticed that some installer of our applications, such as QGIS itself, give
> the privilege to the end user who try to install it to see a ugly
> smartscreen saying that the application is unsafe and can damage your
> computer (it is probably better said than what I expressed here, but I have
> the message in french locally :) ).
> >
> > So, learning that we need a real certificate to sign an application I
> have bought an OV code signing certificate, at that step I unfortunately
> noticed that I cannot register ZOO-Project as a provider cause I don’t have
> any phone bill, official address and so on which are required when you
> acquire such kind of a certificate. So finally I have decided to move on by
> using GeoLabs SARL for which I have everything required even if it doesn’t
> really fit for this application. Still, I have build again then signed the
> application with it and I have still this silly smartscreeen appearing. So
> I learned a bit more and contacted back the SSL provider I have dealt with,
> they confirmed that only 5 CA (in the whole world) are allowed to provide
> the *key* EV-Certificate required to sign your windows application. Note
> that the provider I use provide EV-SSL but not EV-Certificate for code
> signing as they are not allowed to provide such certificates by Microsoft.
> >
> > Anyway, I thought to myself fine, I will simply pass a contract with
> another provider, still with the same issue that I have to use my personal
> or my company name (which are not a real solution as the software is made
> by a community, where not everyone is involved in GeoLabs SARL in any way
> nor under my name). So I went to the 5 CA and checked for pricing and what
> is offered for the announced price. When I went on the digicert website [1]
> to order a code signing certificate for my company I have seen this, for
> 224$ per year, you can have an "EV Code Signing Certificate » (perfect it
> is exactly what I was looking for) but I got the surprise that it provides
> a little bit more than code signing for Windows platform only. Indeed, they
> textually said that within the 224$ US contract you will have access to
> this: « Supports Microsoft Authenticode, Office VBA, Java, Adobe AIR,
> Apple's Mac OS, and Mozilla objects. » .
> >
> > So it seems that by registering to this certificate provider (digicert)
> we can have a signature which can be used on the 2 platforms (MacOS X and
> Windows). I am aware that we are all much more familiar with MacOS X than
> with Windows but still I think it makes sens to provide support for code
> signing for both.
> >
> > Note also that even if GeoLabs SARL is getting an EV Code Signing
> Certificate it can be only considerate as a wrong solution as it is not
> handled only by GeoLabs SARL and it is not its responsibility to provide
> such kind of signature I think.
> >
> > I hope that OSGeo can a provide solution for our projects for code
> signing without favoriting any platform on top of the other. Open Source
> can work anywhere so I don’t think it makes much sens to have only the
> MacOS X developper account to solve the issue only for MacOS X platform.
> >
> > Still, I have another question, like the more important by now for the
> ZOO-Project itself: supposing that OSGeo provides a solution for its
> softwares for code signing, I suppose that it will be available only for
> incubated project, right ? For me it makes sense to have only incubated
> project getting the capability to sign the app with OSgeo as Producer of
> the application. But, in such a case, I would like to know cause it will
> mean that we will have to find another way around the issue and probably go
> for a company’s EV Code Signing Certificate even if it does not really fit
> with our purpose.
> >
> > I do apologie for not stepping in this thread earlier but I have get the
> information few hours ago only (for both windows and MacOS platforms I
> mean).
> >
> > I hope to hear back from you,
> > Best regards,
> >
> > [1] https://www.digicert.com/order/order-1.php
> >
> >> Le 20 avr. 2016 à 21:23, Jody Garnett <jody.garnett at gmail.com> a écrit
> :
> >>
> >> Has their been any progress on the code signing certificate stuff for
> QGIS? I am going through GeoServer 2.9-beta2 release process - and the mac
> platform is getting increasingly restricted.
> >>
> >> (Not that I disagree, the restriction warns users if they are running
> code that has not been signed - I kind of like the idea of user's being
> asked if they trust OSGeo when installing GeoServer).
> >>
> >> I guess whatever has been worked out for QGIS we would like a piece of
> for GeoServer. It may also be worth reaching out to other applications
> (especially desktop applications) once we have a procedure in place.
> >> --
> >> Jody Garnett
> >> _______________________________________________
> >> Sac mailing list
> >> Sac at lists.osgeo.org
> >> http://lists.osgeo.org/mailman/listinfo/sac
> >
> > _______________________________________________
> > Sac mailing list
> > Sac at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/sac
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20161025/77734058/attachment-0001.html>

More information about the Sac mailing list