[Zoo-discuss] EV Code Signing Certificate
Fenoy Gerald
gerald.fenoy at geolabs.fr
Fri May 27 06:34:46 PDT 2016
Dear community, Dear PSC members, Dear Developers,
this topic is of concern for everyone involved in ZOO-Project in any way.
I come to you today with a trouble I feel unsafe to deal with as I already committed mistakes in the way to solve it …
So it is better to come back to you for asking for some insights and to decide a way to go for solving it.
To make the long story short, we have produced a software which is responsible to install the ZOO-Project on your Windows machine. Nevertheless, when you try to run this installer it leads the user to face a message mentioning that the application is not authorized to run and can damage your computer (not a very friendly message, isn’t it), in fact you can see that we were using a valid OV certificate (acquired for 'Geolabs SARL’ which was the only entity I can register, as I was not able to provide any official paper for the ZOO-Project) for code signing, still SmartScreen is complaining. So, I realized that I made a mistake in acquiring this certificate as Microsoft is now requiring the certificate to have the EV level.
As you may notice, I have two different issue, the first one is that I cannot register anything else than my personal name or 'GeoLabs SARL’ (as it is my company so I can handle any request for the validation as in the case of personal account). So, for me this is can be only a temporary solution (let say to avoid this smart screen apparition any time the installer has been downloaded, which appear also for some other OSGeo softwares) because it is not the responsibility of 'GeoLabs SARL’ or me to sign the application as it is the result of collaborative work, so it should be shared with the community. Nevertheless, I don’t know how to handle this right now as we need some official paper to create the ceritifcate. Obviously, GeoLabs SARL can take this responsibility, it is just to say that I don’t understand why it have to do so.
Still, I have another issue, I have identified a certification provider (it is quite easy to do so as Microsoft gave the privilege to 5 CA only to provide such an EV code signing ceritificate) but I wonder why 'GeoLabs SARL’ should be named as the *provider* of the ZOO-Project when it is not the case, I personally think that OSGeo should provide such a certificate. Nevertheless, in my opinion OSGeo should share this certificate only amongst the incubated software. Still there is no certificate like this available at the time we speak.
So I would like to ask the PSC, the developers, and the community for input to discuss and decide a way to go for dealing with this issue of certification. I say one more time that GeoLabs SARL is open to handle this, but feel to not be the right entity to do so. Still using it may make the process a bit faster than any other and be used for a temporary solution (let say to sign the software for one year). Nevertheless, I don’t want that this can be considerate as a bad behavior from GeoLabs SARL to try to take the lead or anything like this.
Ho, still there is another option, GeoLabs SARL create its own installer but I remove the download link from the ZOO-Project download repository on Bintray to avoid any misunderstanding.
I hope my message was clear and I really expect inputs from you care I have to admit I am a bit lost in this.
Best regards,
Gérald Fenoy
http://wiki.osgeo.org/wiki/User:Djay
More information about the Zoo-discuss
mailing list