View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001377||OpenMPT||General||public||2020-10-08 09:32||2020-10-08 10:59|
|Target Version||OpenMPT 2.0 (very long term goals)|
|Summary||0001377: Making OpenMPT signed software|
With each update windows 10 brings, it keeps adding small automations to "make microsoft have more controll over their OS and improving protection" and it's smartscreen feature is no exception. I personally feel it has made the UAC more agressive, since when you launch the installer nowadays, you get this windows where the "Run anyway" has become hidden. And if it takes another step in this direction, it will be obvious that microsoft's about to kill unverified software roaming around free today on their OS.
How hard is software signing? I've seen some other open source softwares like Notepad++ is signed.
|Tags||No tags attached.|
|Has the bug occurred in previous versions?|
|Tested code revision (in case you know it)|
See further discussion in 0001011.
It's not hard, but expensive. You need to send out all sorts of legal documents to proof your identity to shady companies and that's not really something I want to do, and it costs a non-trivial amount of money that I think is better spent otherwise.
Also, in the current situation, signing is actually infeasible for automated builds because we are building on at least 6 hosts for Windows, which are controlled by 2 different people and 1 unrelated organization (AppVeyor). A single signature certificate cannot be distributed to various hosts without defeating its very purpose.
Ah I see
Basically, the only way I personally can see the official installer that is downloadable from the front page (and which is currently only built by me, not by the buildbots) could get an official code-signing certificate is: Someone decides to sponsor a code-signing certificate for OpenMPT and commits to paying for it every year no matter if the certificate becomes more expensive or not. I don't want to rely on our regular donation pool for this because it's not predictable, and the cheapest available option for open-source code signing certificates (a company called Certum) have increased their prices multiple times in the past so one day those costs might be more than what we get in donations, in particular if maybe one day Certum decides to no longer offer their cheap(er) certificates for open-source software and we'd have to resort to a regular certificate (which is multiple hundreds of Euros typically). But I won't use my personal funds for buying a code-signing certificate, that's for sure.
The world of open source seems to need a crowd-funded certificate organisation, like Creative Commons is a crowd-funded license organisation.
|2020-10-08 09:32||ASIKWUSpulse||New Issue|
|2020-10-08 09:34||ASIKWUSpulse||Description Updated|
|2020-10-08 09:35||manx||Note Added: 0004464|
|2020-10-08 09:35||manx||Relationship added||related to 0001011|
|2020-10-08 09:35||manx||Target Version||=> OpenMPT 2.0 (very long term goals)|
|2020-10-08 09:37||Saga Musix||Note Added: 0004465|
|2020-10-08 09:40||manx||Note Added: 0004466|
|2020-10-08 09:43||ASIKWUSpulse||Note Added: 0004467|
|2020-10-08 09:49||Saga Musix||Note Added: 0004468|
|2020-10-08 10:59||ASIKWUSpulse||Note Added: 0004469|