On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt <[email protected]>wrote:
> On 3/23/12 7:25 AM, lou ql wrote: > >> on Windows 7, when I double-click the package to install, a User Account >> Control message will appear and the publisher is "Unknown", will this be >> fixed at the final version? >> >> > good question where I don't have an answer yet. We have to discuss this > with legal and/or with our mentors. > > I think we will need a trustful certificate that is accepted and where we > (or at least one person providing the binary Windows builds) has access to > the private information ... > > I don't know if such a certificate already exists and if a process to use > it is in an appropriate and secure way exists as well. > There was a mention of this a few weeks ago, that some at Apache were exploring the possibility of having code signing certificates for Apache releases. This was in the thread where we were discussing the anti-virus warnings about the 3.4 dev builds. But there was no indication of time frame. Looking at the Verisign website, it looks like a 1-year "Authenticode" certificate costs *$499. * And I assume that signing an EXE or MSI with a cert would break our detached PGP signature. So how we would integrate code signing with release procedures is an interesting question. Ditto for how we would protect our signing key. I assume we would not want want 90 PPMC members to have access to it. > > @our mentors: can you provide any information or advice how we can address > this issue? > > I assuem it will become even more important for Windows 8. > > > Juergen > >
