As I expressed previously
(
https://groups.google.com/g/libjpeg-turbo-announce/c/BNMkCKkZbXo/m/afBaYCjxAQAJ),
the libjpeg-turbo 3.0 release has been delayed due to issues with the
renewal of my code signing certificate, which expired in May. As I have
done for the past 8 years, I used a discount certificate broker to
purchase the certificate from a CA (Sectigo, in this case, since they
are the only CA that still issues individual code signing certificates.)
The broker's online certificate generation tool has traditionally
stored the private key in my browser's certificate store for later
retrieval. However, the broker switched to a new tool that apparently
no longer stores the generated private key, and this wasn't made clear.
Thus, the private key for my renewed code signing certificate is lost,
and the certificate is useless. Even worse, as of June 1, new policies
require certificates to be delivered only on physical tokens, so the
cost of reissuing the certificate would be approximately 4-5 times what
I paid to renew it in April. Given that our project's budget is
exhausted through May of 2024, I simply cannot justify that cost right now.
Code signing requirements are an unfortunate reality with macOS and
Windows these days, and those requirements punish individual developers.
At least Apple makes it easy to obtain and renew a certificate as an
individual developer. Microsoft does not, so I have had to endure
various dramas every two years since 2015 in order to obtain/renew a
code signing certificate through a third party. I initially obtained an
individual code signing certificate through Thawte, but they stopped
offering them. It took some effort to get Sectigo to validate me the
first time, since I am an individual/sole proprietor and not a
corporation or other organization. Even with an individual code signing
certificate, Windows SmartScreen still treats your software as a
second-class citizen, subjecting it to a reputation-based system that
doesn't fully trust your software until a bunch of people download and
install it. Your software is automatically trusted if it is signed with
a more expensive EV code signing certificate, but my experience is that
it's impossible to get one of those unless you are a registered
commercial entity. Of course every minute I spend fighting that mess is
a minute that I can't spend developing open source software. It was a
bit easier to justify the code signing racket when it cost me $75/year,
but now I'm staring down the barrel of $300+/year. That's really hard
to justify. I could release the Windows installers unsigned, but
popular Windows browsers would block the download of the installers. In
Edge, for instance, the browser would report
"libjpeg-turbo-3.0.0-vc64.exe isn't commonly downloaded. Make sure you
trust libjpeg-turbo-3.0.0-vc64.exe before you open it." In order to
complete the download, you would have to click the three dots next to
the file name, then click "Keep", then click "Show More" on the dialog
that pops up, then click "Keep anyway." It would then be necessary to
click through further warnings when installing the software.
I am looking into solutions that other open source projects use, such as
SignPath. I am, of course, open to any other suggestions.
DRC