I use Let's Encrypt to provide HTTPS on VirtualGL.org, TurboVNC.org, and libjpeg-turbo.org, but it doesn't appear that they currently or will ever support code signing:
https://community.letsencrypt.org/t/do-you-support-code-signing/370/4 Code signing means that the CA is signing off on their trust of an individual developer, which requires that they perform an identity check and such. I generally have to find a notary public and send a notarized affidavit (under penalty of perjury) along with photocopies of documents that prove my citizenship, current residence, and that I'm doing business as a developer. It's a colossal pain in the butt. DRC On 2/15/19 2:55 PM, Torsten Kupke wrote: > Hi DRC, > > did your hear about > > https://letsencrypt.org/ > > They provide free certificates since a couple of years. E.g the producer > of my home router uses one for its firmware and web interface. > > B.R. > > Torsten > > Am 15.02.2019 um 21:26 schrieb DRC: >> The code signing certificate that has been used for four years to sign >> the TurboVNC JAR files for use with Java Web Start expired this week. >> Since I used a timestamp authority when signing the JARs, JAR files for >> existing releases should continue to work (please let me know if they >> don't.) >> >> Unfortunately Thawte no longer provides individual code signing >> certificates, so there is no way to renew my certificate. In addition >> to spending money that I don't have right now (2018 was a very bad year >> financially for VirtualGL, TurboVNC, and libjpeg-turbo), the process of >> getting on board with another certificate authority is painful enough to >> give me pause, particularly given that Java Web Start is now a >> deprecated feature. I would like to hear back (off-list is fine) from >> any organizations that are currently using Java Web Start with TurboVNC: >> >> 1. How many users do you estimate use TurboVNC with Java Web Start >> within your organization? >> >> 2. Do you re-sign the JAR files using your own certificate or keep them >> signed with my certificate? >> >> 3. If you currently rely on my certificate, would your deployment >> scenario allow you to white-list a self-signed certificate from The >> VirtualGL Project? (This would generally involve importing the >> certificate on the client side using the Java Control Panel.) >> >> 4. Would your company be willing to donate the money to this project >> (about US$200) necessary for me to purchase a Comodo individual code >> signing certificate for the next two years, thus ensuring that the >> TurboVNC JAR files for the 2.2.2 and 3.0.x releases remain signed? >> >> If I don't get feedback on this, my default course of action is going to >> be generating a self-signed certificate for The VirtualGL Project, thus >> requiring anyone who wishes to continue using TurboVNC with Java Web >> Start to white-list our certificate. >> >> DRC > -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/b304d43f-3803-c449-8bce-ae75ccdc8cff%40virtualgl.org. For more options, visit https://groups.google.com/d/optout.
