Code signing for XCA releases #478
Comments
|
SHA256 sums of all released binaries are always available here |
|
I used the certum signing cert in the past, but they changed the token and I have to buy a new token, again ... |
|
Thank you for your reply! Yes, sadly, the price makes quite a barrier. GPG, on the other hand, is free. If you could sign P.S. Just FYI, there's also https://about.signpath.io/product/open-source , they sign 'significant' OSS projects for free, but they require a CI pipeline in which they integrate themselves. Personally I did not bother with setting it for my OSS projects (yet). |
|
@chris2511, I value proof of provenance and tamper-resistance for security-sensitive software, such as XCA. If the price of smart cards and readers is a barrier to getting and using a code-signing certificate to provide this, please contact me privately, and I will see what needs to be done to help you with this. |
Hi,
I would like to ask you to consider signing the binaries and installer - not to get rid of AV warnings, but for authenticity reasons.
AuthentiCode signatures, unfortunately, cost some money ($29/yr + $60 for card+reader = $89 at Certum OpenSource Signing).
But even (detached) GPG signatures would be OK.
I (and probably many others) would like to be sure that the binaries are really coming from (and authorized by) you.
The text was updated successfully, but these errors were encountered: