Sounds like a plan to me. Do we have volunteers to implement this? :)
On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger <[email protected]> wrote: > Hi everyone. > > I think this is a great idea. > > I would like to propose the following steps. > > 1) We put in place the infrastructure > 2) We use a self signed certificate ( blender foundation CA ) to sign our > buildbot builds and installers. > 3) We buy / beg an official certificate to the signing. > > This would allow us to delay spending the money till we can actually use > the certificate. There are no real hurdles to just doing this but lets > prove it works first. > > Martijn > > > On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath <[email protected]> > wrote: > > > Hey Ton, > > > > Well, the cert is just like any other SSL/x.509 certificate you would > get, > > except the properties of the certificate allow (limit) it to be used > > specifically for signing code. You can get certs that can be set to only > be > > used for email, signing or encryption etc. The thing that makes this use > of > > the certificate unique (compared to regular SSL certificates) is that you > > use special tools on Windows to sign binary files (as opposed to > installing > > in a web server like we do with SSL). Although given the special purpose > of > > making your software look reputable and legitimate, they (the industry) > of > > course demand a premium for the cost of generating these certificates > (ie: > > they charge you up the wazoo!). Like our EV certificates, I believe they > > also go through extra identity checks before they just hand one of these > > certificates over to you. > > > > Comodo (our certificate provider) offers these certificates as well if > you > > are interested (Starting at $166.95/year): > > > > > > > > > https://www.comodo.com/business-security/code-signing-certificates/code-signing.php > > > > With one of those, you should be able to follow the steps in the > Microsoft > > url I pasted earlier to do code signing. I believe you could even > generate > > your own self signed CA cert and create one of these code signing > > certificates to test the tools, but such a certificate would not be > trusted > > of course, and would only be useful to practice the workflow. > > > > > > Dan > > > > > > On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal <[email protected]> wrote: > > > > > Hi, > > > > > > I don't mind paying a bit, for as long it's an undisputed, official > cert > > > recommended by Microsoft. > > > > > > -Ton- > > > > > > -------------------------------------------------------- > > > Ton Roosendaal - [email protected] - www.blender.org > > > Chairman Blender Foundation - Producer Blender Institute > > > Entrepotdok 57A - 1018AD Amsterdam - The Netherlands > > > > > > > > > > > > On 6 Nov, 2014, at 15:51, Dan McGrath wrote: > > > > > > > It sounds like Microsoft calls this "athenticode". I don't have any > > > > personal experience with it myself, but I did find this url at > > > Microsoft's > > > > website that might be of use to those looking into this: > > > > > > > > http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx > > > > > > > > Dan > > > > > > > > On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal <[email protected]> > > wrote: > > > > > > > >> Hi all, > > > >> > > > >> For OS X we sign the binary using our Apple developer account. > > > >> It seems there's a similar system for Windows exes too. > > > >> Please advice! > > > >> > > > >> (See mail below). > > > >> > > > >> -Ton- > > > >> > > > >> -------------------------------------------------------- > > > >> Ton Roosendaal - [email protected] - www.blender.org > > > >> Chairman Blender Foundation - Producer Blender Institute > > > >> Entrepotdok 57A - 1018AD Amsterdam - The Netherlands > > > >> > > > >> > > > >> > > > >> Begin forwarded message: > > > >> > > > >>> Subject: Vendor Approval Issue > > > >>> Date: 6 November, 2014 14:17:11 CET > > > >>> To: [email protected] > > > >>> > > > >>> Hi > > > >>> > > > >>> I have a generic issue that needs addressing so I have contacted > > > >>> this email address in the hope that you can redirect it > > > >>> appropriately. > > > >>> > > > >>> I use Comodo Internet Security Premium which includes a Defense > > > >>> Plus element for monitoring running processes. Whilst I have > > > >>> approved Blender as a process it refuses to recognise the Vendor as > > > >>> the .exe file is not signed and has no developer information so it > > > >>> will not allow me to add it to the approved list and keeps flagging > > > >>> it every time I launch Blender. > > > >>> > > > >>> I am bringing this to your attention as it is annoying and I am > > > >>> sure other users are experiencing the same issue and it could be > > > >>> easily resolved but that can only be done by the development team. > > > >>> > > > >>> Trusted Vendors can sign up here to be whitelisted: > > > >>> > > > >>> http://internetsecurity.comodo.com/trustedvendor/signup.php > > > >>> > > > >>> Many thanks > > > >>> > > > >>> Mark > > > >>> > > > >> > > > >> _______________________________________________ > > > >> Bf-committers mailing list > > > >> [email protected] > > > >> http://lists.blender.org/mailman/listinfo/bf-committers > > > >> > > > > _______________________________________________ > > > > Bf-committers mailing list > > > > [email protected] > > > > http://lists.blender.org/mailman/listinfo/bf-committers > > > > > > _______________________________________________ > > > Bf-committers mailing list > > > [email protected] > > > http://lists.blender.org/mailman/listinfo/bf-committers > > > > > _______________________________________________ > > Bf-committers mailing list > > [email protected] > > http://lists.blender.org/mailman/listinfo/bf-committers > > > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers > -- With best regards, Sergey Sharybin _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
