[SAC] so code signing

Michael Smith michael.smith.erdc at gmail.com
Tue Oct 25 14:27:39 PDT 2016 

I can work on this. Has anyone gone through the process to see what info is needed? I ask as before we did the OS X dev account I had to get a DUNS id. Just wondering if there is any base info we need for the purchase. 

If not, I should be able to do this tomorrow (afk this evening). 

Michael Smith
Remote Sensing/GIS Center
US Army Corps of Engineers

> On Oct 25, 2016, at 4:58 PM, Jody Garnett <jody.garnett at gmail.com> wrote:
> 
> Afternoon Michael,
> 
> The GeoServer project is now in position to make use of a certificate for signing windows 10 applications (indeed the signing issue came up during testing of our release candidate).
> 
> Can I ask that you purchase a certificate we can use on windows? Larry provided https://www.digicert.com/code-signing/code-signing.htm and example of a cost effective provider.
> 
> I think it would be appropriate to purchase this for 2-3 years?
> 
> If we purchase this on behalf of the GeoServer project (that has a tight deadline) we can ask SAC to manage the certifcate (and carefully share it with the QGIS and OSGeo4Win team.
> 
> Larry am I missing anything? Who is responsible for the QGIS community windows releases?
> 
> Related tickets:
> - https://trac.osgeo.org/osgeo/ticket/1813
> - https://osgeo-org.atlassian.net/browse/GEOS-7812 
> 
> 
> --
> Jody Garnett
> 
>> On 27 May 2016 at 03:37, Michael Smith <michael.smith.erdc at gmail.com> wrote:
>> All,
>> 
>> OSGeo now has an Apple Developer Organization account. I can provide access to projects to get code signing certificates for OS X applications.
>> 
>> OSGeo should do the same for Windows applications as well, whether through the the EV Signing certificate described below or some other route but it's now one of those infrastructure components that OSGeo should provide to projects (the question of full or incubated projects also needs to be discussed).
>> 
>> Just let me know what you all think is the best route and I'll follow the steps to get a Windows signing certificate for OSGeo.
>> 
>> Michael Smith
>> OSGeo Treasurer
>> 
>> > On May 27, 2016, at 6:21 AM, Fenoy Gerald <gerald.fenoy at geolabs.fr> wrote:
>> >
>> > Dear Jody, Dear all,
>> > I have to say first that I know only a little about all this Code signing certificate but have learnt a bit later this week.
>> >
>> > When using Windows 10, which was not really my cup of tea, I have noticed that some installer of our applications, such as QGIS itself, give the privilege to the end user who try to install it to see a ugly smartscreen saying that the application is unsafe and can damage your computer (it is probably better said than what I expressed here, but I have the message in french locally :) ).
>> >
>> > So, learning that we need a real certificate to sign an application I have bought an OV code signing certificate, at that step I unfortunately noticed that I cannot register ZOO-Project as a provider cause I don’t have any phone bill, official address and so on which are required when you acquire such kind of a certificate. So finally I have decided to move on by using GeoLabs SARL for which I have everything required even if it doesn’t really fit for this application. Still, I have build again then signed the application with it and I have still this silly smartscreeen appearing. So I learned a bit more and contacted back the SSL provider I have dealt with, they confirmed that only 5 CA (in the whole world) are allowed to provide the *key* EV-Certificate required to sign your windows application. Note that the provider I use provide EV-SSL but not EV-Certificate for code signing as they are not allowed to provide such certificates by Microsoft.
>> >
>> > Anyway, I thought to myself fine, I will simply pass a contract with another provider, still with the same issue that I have to use my personal or my company name (which are not a real solution as the software is made by a community, where not everyone is involved in GeoLabs SARL in any way nor under my name). So I went to the 5 CA and checked for pricing and what is offered for the announced price. When I went on the digicert website [1] to order a code signing certificate for my company I have seen this, for 224$ per year, you can have an "EV Code Signing Certificate » (perfect it is exactly what I was looking for) but I got the surprise that it provides a little bit more than code signing for Windows platform only. Indeed, they textually said that within the 224$ US contract you will have access to this: « Supports Microsoft Authenticode, Office VBA, Java, Adobe AIR, Apple's Mac OS, and Mozilla objects. » .
>> >
>> > So it seems that by registering to this certificate provider (digicert) we can have a signature which can be used on the 2 platforms (MacOS X and Windows). I am aware that we are all much more familiar with MacOS X than with Windows but still I think it makes sens to provide support for code signing for both.
>> >
>> > Note also that even if GeoLabs SARL is getting an EV Code Signing Certificate it can be only considerate as a wrong solution as it is not handled only by GeoLabs SARL and it is not its responsibility to provide such kind of signature I think.
>> >
>> > I hope that OSGeo can a provide solution for our projects for code signing without favoriting any platform on top of the other. Open Source can work anywhere so I don’t think it makes much sens to have only the MacOS X developper account to solve the issue only for MacOS X platform.
>> >
>> > Still, I have another question, like the more important by now for the ZOO-Project itself: supposing that OSGeo provides a solution for its softwares for code signing, I suppose that it will be available only for incubated project, right ? For me it makes sense to have only incubated project getting the capability to sign the app with OSgeo as Producer of the application. But, in such a case, I would like to know cause it will mean that we will have to find another way around the issue and probably go for a company’s EV Code Signing Certificate even if it does not really fit with our purpose.
>> >
>> > I do apologie for not stepping in this thread earlier but I have get the information few hours ago only (for both windows and MacOS platforms I mean).
>> >
>> > I hope to hear back from you,
>> > Best regards,
>> >
>> > [1] https://www.digicert.com/order/order-1.php
>> >
>> >> Le 20 avr. 2016 à 21:23, Jody Garnett <jody.garnett at gmail.com> a écrit :
>> >>
>> >> Has their been any progress on the code signing certificate stuff for QGIS? I am going through GeoServer 2.9-beta2 release process - and the mac platform is getting increasingly restricted.
>> >>
>> >> (Not that I disagree, the restriction warns users if they are running code that has not been signed - I kind of like the idea of user's being asked if they trust OSGeo when installing GeoServer).
>> >>
>> >> I guess whatever has been worked out for QGIS we would like a piece of for GeoServer. It may also be worth reaching out to other applications (especially desktop applications) once we have a procedure in place.
>> >> --
>> >> Jody Garnett
>> >> _______________________________________________
>> >> Sac mailing list
>> >> Sac at lists.osgeo.org
>> >> http://lists.osgeo.org/mailman/listinfo/sac
>> >
>> > _______________________________________________
>> > Sac mailing list
>> > Sac at lists.osgeo.org
>> > http://lists.osgeo.org/mailman/listinfo/sac
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
> 
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20161025/0e4a28e9/attachment.html>

More information about the Sac mailing list