Code signing hell
218 views
Skip to first unread message
DRC
Jun 12, 2023, 4:50:21 PM6/12/23
to libjpeg-t...@googlegroups.com, libjpeg-t...@googlegroups.com, libjpeg-tur...@googlegroups.com
As I expressed previously
(https://groups.google.com/g/libjpeg-turbo-announce/c/BNMkCKkZbXo/m/afBaYCjxAQAJ),
the libjpeg-turbo 3.0 release has been delayed due to issues with the
renewal of my code signing certificate, which expired in May. As I have
done for the past 8 years, I used a discount certificate broker to
purchase the certificate from a CA (Sectigo, in this case, since they
are the only CA that still issues individual code signing certificates.)
The broker's online certificate generation tool has traditionally
stored the private key in my browser's certificate store for later
retrieval. However, the broker switched to a new tool that apparently
no longer stores the generated private key, and this wasn't made clear.
Thus, the private key for my renewed code signing certificate is lost,
and the certificate is useless. Even worse, as of June 1, new policies
require certificates to be delivered only on physical tokens, so the
cost of reissuing the certificate would be approximately 4-5 times what
I paid to renew it in April. Given that our project's budget is
exhausted through May of 2024, I simply cannot justify that cost right now.
Code signing requirements are an unfortunate reality with macOS and
Windows these days, and those requirements punish individual developers.
At least Apple makes it easy to obtain and renew a certificate as an
individual developer. Microsoft does not, so I have had to endure
various dramas every two years since 2015 in order to obtain/renew a
code signing certificate through a third party. I initially obtained an
individual code signing certificate through Thawte, but they stopped
offering them. It took some effort to get Sectigo to validate me the
first time, since I am an individual/sole proprietor and not a
corporation or other organization. Even with an individual code signing
certificate, Windows SmartScreen still treats your software as a
second-class citizen, subjecting it to a reputation-based system that
doesn't fully trust your software until a bunch of people download and
install it. Your software is automatically trusted if it is signed with
a more expensive EV code signing certificate, but my experience is that
it's impossible to get one of those unless you are a registered
commercial entity. Of course every minute I spend fighting that mess is
a minute that I can't spend developing open source software. It was a
bit easier to justify the code signing racket when it cost me $75/year,
but now I'm staring down the barrel of $300+/year. That's really hard
to justify. I could release the Windows installers unsigned, but
popular Windows browsers would block the download of the installers. In
Edge, for instance, the browser would report
"libjpeg-turbo-3.0.0-vc64.exe isn't commonly downloaded. Make sure you
trust libjpeg-turbo-3.0.0-vc64.exe before you open it." In order to
complete the download, you would have to click the three dots next to
the file name, then click "Keep", then click "Show More" on the dialog
that pops up, then click "Keep anyway." It would then be necessary to
click through further warnings when installing the software.
I am looking into solutions that other open source projects use, such as
SignPath. I am, of course, open to any other suggestions.
DRC
(https://groups.google.com/g/libjpeg-turbo-announce/c/BNMkCKkZbXo/m/afBaYCjxAQAJ),
the libjpeg-turbo 3.0 release has been delayed due to issues with the
renewal of my code signing certificate, which expired in May. As I have
done for the past 8 years, I used a discount certificate broker to
purchase the certificate from a CA (Sectigo, in this case, since they
are the only CA that still issues individual code signing certificates.)
The broker's online certificate generation tool has traditionally
stored the private key in my browser's certificate store for later
retrieval. However, the broker switched to a new tool that apparently
no longer stores the generated private key, and this wasn't made clear.
Thus, the private key for my renewed code signing certificate is lost,
and the certificate is useless. Even worse, as of June 1, new policies
require certificates to be delivered only on physical tokens, so the
cost of reissuing the certificate would be approximately 4-5 times what
I paid to renew it in April. Given that our project's budget is
exhausted through May of 2024, I simply cannot justify that cost right now.
Code signing requirements are an unfortunate reality with macOS and
Windows these days, and those requirements punish individual developers.
At least Apple makes it easy to obtain and renew a certificate as an
individual developer. Microsoft does not, so I have had to endure
various dramas every two years since 2015 in order to obtain/renew a
code signing certificate through a third party. I initially obtained an
individual code signing certificate through Thawte, but they stopped
offering them. It took some effort to get Sectigo to validate me the
first time, since I am an individual/sole proprietor and not a
corporation or other organization. Even with an individual code signing
certificate, Windows SmartScreen still treats your software as a
second-class citizen, subjecting it to a reputation-based system that
doesn't fully trust your software until a bunch of people download and
install it. Your software is automatically trusted if it is signed with
a more expensive EV code signing certificate, but my experience is that
it's impossible to get one of those unless you are a registered
commercial entity. Of course every minute I spend fighting that mess is
a minute that I can't spend developing open source software. It was a
bit easier to justify the code signing racket when it cost me $75/year,
but now I'm staring down the barrel of $300+/year. That's really hard
to justify. I could release the Windows installers unsigned, but
popular Windows browsers would block the download of the installers. In
Edge, for instance, the browser would report
"libjpeg-turbo-3.0.0-vc64.exe isn't commonly downloaded. Make sure you
trust libjpeg-turbo-3.0.0-vc64.exe before you open it." In order to
complete the download, you would have to click the three dots next to
the file name, then click "Keep", then click "Show More" on the dialog
that pops up, then click "Keep anyway." It would then be necessary to
click through further warnings when installing the software.
I am looking into solutions that other open source projects use, such as
SignPath. I am, of course, open to any other suggestions.
DRC
DRC
Jun 13, 2023, 1:03:32 PM6/13/23
to libjpeg-t...@googlegroups.com, libjpeg-t...@googlegroups.com, libjpeg-tur...@googlegroups.com
Unfortunately the certificate broker has informed me that they will not
refund my money for the now useless code signing certificate.
Apparently their policy is that you can only get a refund within 30 days
of purchase, but the certificate was not even validated and issued
within 30 days of purchase. My only choice would be to write off that
purchase as a loss and spend even more money with them to reissue the
certificate. Nope. I am waiting to hear back from SignPath. Since
their system is activated through AppVeyor, it will be necessary to
modify our source tree in order to integrate with it. Thus, I want to
give them a chance to reply to my request before I release libjpeg-turbo
3.0. If I do not hear from them by Friday, I will go ahead and release
libjpeg-turbo 3.0 with unsigned Windows installers.
Sorry for the continued delay. Hopefully everyone understands that I am
doing my best to resolve these issues.
DRC
refund my money for the now useless code signing certificate.
Apparently their policy is that you can only get a refund within 30 days
of purchase, but the certificate was not even validated and issued
within 30 days of purchase. My only choice would be to write off that
purchase as a loss and spend even more money with them to reissue the
certificate. Nope. I am waiting to hear back from SignPath. Since
their system is activated through AppVeyor, it will be necessary to
modify our source tree in order to integrate with it. Thus, I want to
give them a chance to reply to my request before I release libjpeg-turbo
3.0. If I do not hear from them by Friday, I will go ahead and release
libjpeg-turbo 3.0 with unsigned Windows installers.
Sorry for the continued delay. Hopefully everyone understands that I am
doing my best to resolve these issues.
DRC
DRC
Jun 22, 2023, 4:04:51 PM6/22/23
to libjpeg-t...@googlegroups.com, libjpeg-t...@googlegroups.com, libjpeg-tur...@googlegroups.com
I have completed the onboarding process with SignPath.io, but they are
working through some issues with their upstream CA regarding the
issuance of a new release certificate for libjpeg-turbo. (This may be
related to the same policy changes I mentioned earlier, which apparently
all CAs implemented as of June 1. I'm not sure.)
Meanwhile, another security researcher found additional bugs, so I am
working through those while I wait for the certificate. I apologize
again for the delay.
DRC
working through some issues with their upstream CA regarding the
issuance of a new release certificate for libjpeg-turbo. (This may be
related to the same policy changes I mentioned earlier, which apparently
all CAs implemented as of June 1. I'm not sure.)
Meanwhile, another security researcher found additional bugs, so I am
working through those while I wait for the certificate. I apologize
again for the delay.
DRC
Reply all
Reply to author
Forward
0 new messages