[SAC] so code signing

Tue Oct 25 14:30:38 PDT 2016

Excellent, Larry is your point of contact (think you two sorted out the
macOS last time so you know the drill).

Larry are we missing anything?

--
Jody Garnett

On 25 October 2016 at 14:27, Michael Smith <michael.smith.erdc at gmail.com>
wrote:

> I can work on this. Has anyone gone through the process to see what info
> is needed? I ask as before we did the OS X dev account I had to get a DUNS
> id. Just wondering if there is any base info we need for the purchase.
>
> If not, I should be able to do this tomorrow (afk this evening).
>
> Michael Smith
> Remote Sensing/GIS Center
> US Army Corps of Engineers
>
> On Oct 25, 2016, at 4:58 PM, Jody Garnett <jody.garnett at gmail.com> wrote:
>
> Afternoon Michael,
>
> The GeoServer project is now in position to make use of a certificate for
> signing windows 10 applications (indeed the signing issue came up during
> testing of our release candidate).
>
> Can I ask that you purchase a certificate we can use on windows? Larry
> provided https://www.digicert.com/code-signing/code-signing.htm and
> example of a cost effective provider.
>
> I think it would be appropriate to purchase this for 2-3 years?
>
> If we purchase this on behalf of the GeoServer project (that has a tight
> deadline) we can ask SAC to manage the certifcate (and carefully share it
> with the QGIS and OSGeo4Win team.
>
> Larry am I missing anything? Who is responsible for the QGIS community
> windows releases?
>
> Related tickets:
> - https://trac.osgeo.org/osgeo/ticket/1813
> - https://osgeo-org.atlassian.net/browse/GEOS-7812
>
>
> --
> Jody Garnett
>
> On 27 May 2016 at 03:37, Michael Smith <michael.smith.erdc at gmail.com>
> wrote:
>
>> All,
>>
>> OSGeo now has an Apple Developer Organization account. I can provide
>> access to projects to get code signing certificates for OS X applications.
>>
>> OSGeo should do the same for Windows applications as well, whether
>> through the the EV Signing certificate described below or some other route
>> but it's now one of those infrastructure components that OSGeo should
>> provide to projects (the question of full or incubated projects also needs
>> to be discussed).
>>
>> Just let me know what you all think is the best route and I'll follow the
>> steps to get a Windows signing certificate for OSGeo.
>>
>> Michael Smith
>> OSGeo Treasurer
>>
>> > On May 27, 2016, at 6:21 AM, Fenoy Gerald <gerald.fenoy at geolabs.fr>
>> wrote:
>> >
>> > Dear Jody, Dear all,
>> > I have to say first that I know only a little about all this Code
>> signing certificate but have learnt a bit later this week.
>> >
>> > When using Windows 10, which was not really my cup of tea, I have
>> noticed that some installer of our applications, such as QGIS itself, give
>> the privilege to the end user who try to install it to see a ugly
>> smartscreen saying that the application is unsafe and can damage your
>> computer (it is probably better said than what I expressed here, but I have
>> the message in french locally :) ).
>> >
>> > So, learning that we need a real certificate to sign an application I
>> have bought an OV code signing certificate, at that step I unfortunately
>> noticed that I cannot register ZOO-Project as a provider cause I don’t have
>> any phone bill, official address and so on which are required when you
>> acquire such kind of a certificate. So finally I have decided to move on by
>> using GeoLabs SARL for which I have everything required even if it doesn’t
>> really fit for this application. Still, I have build again then signed the
>> application with it and I have still this silly smartscreeen appearing. So
>> I learned a bit more and contacted back the SSL provider I have dealt with,
>> they confirmed that only 5 CA (in the whole world) are allowed to provide
>> the *key* EV-Certificate required to sign your windows application. Note
>> that the provider I use provide EV-SSL but not EV-Certificate for code
>> signing as they are not allowed to provide such certificates by Microsoft.
>> >
>> > Anyway, I thought to myself fine, I will simply pass a contract with
>> another provider, still with the same issue that I have to use my personal
>> or my company name (which are not a real solution as the software is made
>> by a community, where not everyone is involved in GeoLabs SARL in any way
>> nor under my name). So I went to the 5 CA and checked for pricing and what
>> is offered for the announced price. When I went on the digicert website [1]
>> to order a code signing certificate for my company I have seen this, for
>> 224$ per year, you can have an "EV Code Signing Certificate » (perfect it
>> is exactly what I was looking for) but I got the surprise that it provides
>> a little bit more than code signing for Windows platform only. Indeed, they
>> textually said that within the 224$ US contract you will have access to
>> this: « Supports Microsoft Authenticode, Office VBA, Java, Adobe AIR,
>> Apple's Mac OS, and Mozilla objects. » .
>> >
>> > So it seems that by registering to this certificate provider (digicert)
>> we can have a signature which can be used on the 2 platforms (MacOS X and
>> Windows). I am aware that we are all much more familiar with MacOS X than
>> with Windows but still I think it makes sens to provide support for code
>> signing for both.
>> >
>> > Note also that even if GeoLabs SARL is getting an EV Code Signing
>> Certificate it can be only considerate as a wrong solution as it is not
>> handled only by GeoLabs SARL and it is not its responsibility to provide
>> such kind of signature I think.
>> >
>> > I hope that OSGeo can a provide solution for our projects for code
>> signing without favoriting any platform on top of the other. Open Source
>> can work anywhere so I don’t think it makes much sens to have only the
>> MacOS X developper account to solve the issue only for MacOS X platform.
>> >
>> > Still, I have another question, like the more important by now for the
>> ZOO-Project itself: supposing that OSGeo provides a solution for its
>> softwares for code signing, I suppose that it will be available only for
>> incubated project, right ? For me it makes sense to have only incubated
>> project getting the capability to sign the app with OSgeo as Producer of
>> the application. But, in such a case, I would like to know cause it will
>> mean that we will have to find another way around the issue and probably go
>> for a company’s EV Code Signing Certificate even if it does not really fit
>> with our purpose.
>> >
>> > I do apologie for not stepping in this thread earlier but I have get
>> the information few hours ago only (for both windows and MacOS platforms I
>> mean).
>> >
>> > I hope to hear back from you,
>> > Best regards,
>> >
>> > [1] https://www.digicert.com/order/order-1.php
>> >
>> >> Le 20 avr. 2016 à 21:23, Jody Garnett <jody.garnett at gmail.com> a
>> écrit :
>> >>
>> >> Has their been any progress on the code signing certificate stuff for
>> QGIS? I am going through GeoServer 2.9-beta2 release process - and the mac
>> platform is getting increasingly restricted.
>> >>
>> >> (Not that I disagree, the restriction warns users if they are running
>> code that has not been signed - I kind of like the idea of user's being
>> asked if they trust OSGeo when installing GeoServer).
>> >>
>> >> I guess whatever has been worked out for QGIS we would like a piece of
>> for GeoServer. It may also be worth reaching out to other applications
>> (especially desktop applications) once we have a procedure in place.
>> >> --
>> >> Jody Garnett
>> >> _______________________________________________
>> >> Sac mailing list
>> >> Sac at lists.osgeo.org
>> >> http://lists.osgeo.org/mailman/listinfo/sac
>> >
>> > _______________________________________________
>> > Sac mailing list
>> > Sac at lists.osgeo.org
>> > http://lists.osgeo.org/mailman/listinfo/sac
>> _______________________________________________
>> Sac mailing list
>> Sac at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/sac
>>
>
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
>
>
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20161025/568fc931/attachment-0001.html>