-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code signing for XCA releases #478
Comments
SHA256 sums of all released binaries are always available here |
I used the certum signing cert in the past, but they changed the token and I have to buy a new token, again ... |
Thank you for your reply! Yes, sadly, the price makes quite a barrier. GPG, on the other hand, is free. If you could sign P.S. Just FYI, there's also https://about.signpath.io/product/open-source , they sign 'significant' OSS projects for free, but they require a CI pipeline in which they integrate themselves. Personally I did not bother with setting it for my OSS projects (yet). |
@chris2511, I value proof of provenance and tamper-resistance for security-sensitive software, such as XCA. If the price of smart cards and readers is a barrier to getting and using a code-signing certificate to provide this, please contact me privately, and I will see what needs to be done to help you with this. |
Hi,
I would like to ask you to consider signing the binaries and installer - not to get rid of AV warnings, but for authenticity reasons.
AuthentiCode signatures, unfortunately, cost some money ($29/yr + $60 for card+reader = $89 at Certum OpenSource Signing).
But even (detached) GPG signatures would be OK.
I (and probably many others) would like to be sure that the binaries are really coming from (and authorized by) you.
The text was updated successfully, but these errors were encountered: