Certrum used to provide free code signing certificates for open source projects, but unfortunately they have stopped doing that. Their base price for open source code signing appears quite good (25€), but apparently if you don't have a cryptographic card, they make you purchase one. That brings the price to 69€, then they charge 15€ in taxes and 35€ for shipping, which makes the total about US$130-- outrageous for a 1-year code signing cert. Comodo is much less expensive.
DRC On 2/15/19 3:22 PM, DRC wrote: > I use Let's Encrypt to provide HTTPS on VirtualGL.org, TurboVNC.org, and > libjpeg-turbo.org, but it doesn't appear that they currently or will > ever support code signing: > > https://community.letsencrypt.org/t/do-you-support-code-signing/370/4 > > Code signing means that the CA is signing off on their trust of an > individual developer, which requires that they perform an identity check > and such. I generally have to find a notary public and send a notarized > affidavit (under penalty of perjury) along with photocopies of documents > that prove my citizenship, current residence, and that I'm doing > business as a developer. It's a colossal pain in the butt. > > DRC > > On 2/15/19 2:55 PM, Torsten Kupke wrote: >> Hi DRC, >> >> did your hear about >> >> https://letsencrypt.org/ >> >> They provide free certificates since a couple of years. E.g the producer >> of my home router uses one for its firmware and web interface. >> >> B.R. >> >> Torsten >> >> Am 15.02.2019 um 21:26 schrieb DRC: >>> The code signing certificate that has been used for four years to sign >>> the TurboVNC JAR files for use with Java Web Start expired this week. >>> Since I used a timestamp authority when signing the JARs, JAR files for >>> existing releases should continue to work (please let me know if they >>> don't.) >>> >>> Unfortunately Thawte no longer provides individual code signing >>> certificates, so there is no way to renew my certificate. In addition >>> to spending money that I don't have right now (2018 was a very bad year >>> financially for VirtualGL, TurboVNC, and libjpeg-turbo), the process of >>> getting on board with another certificate authority is painful enough to >>> give me pause, particularly given that Java Web Start is now a >>> deprecated feature. I would like to hear back (off-list is fine) from >>> any organizations that are currently using Java Web Start with TurboVNC: >>> >>> 1. How many users do you estimate use TurboVNC with Java Web Start >>> within your organization? >>> >>> 2. Do you re-sign the JAR files using your own certificate or keep them >>> signed with my certificate? >>> >>> 3. If you currently rely on my certificate, would your deployment >>> scenario allow you to white-list a self-signed certificate from The >>> VirtualGL Project? (This would generally involve importing the >>> certificate on the client side using the Java Control Panel.) >>> >>> 4. Would your company be willing to donate the money to this project >>> (about US$200) necessary for me to purchase a Comodo individual code >>> signing certificate for the next two years, thus ensuring that the >>> TurboVNC JAR files for the 2.2.2 and 3.0.x releases remain signed? >>> >>> If I don't get feedback on this, my default course of action is going to >>> be generating a self-signed certificate for The VirtualGL Project, thus >>> requiring anyone who wishes to continue using TurboVNC with Java Web >>> Start to white-list our certificate. >>> >>> DRC >> -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/71f6c345-f6db-06a3-2604-e03463a687fe%40virtualgl.org. For more options, visit https://groups.google.com/d/optout.
