JAR signing
25 views
Skip to first unread message
DRC
Feb 15, 2019, 3:26:44 PM2/15/19
to turbovn...@googlegroups.com, turbovn...@googlegroups.com
The code signing certificate that has been used for four years to sign
the TurboVNC JAR files for use with Java Web Start expired this week.
Since I used a timestamp authority when signing the JARs, JAR files for
existing releases should continue to work (please let me know if they
don't.)
Unfortunately Thawte no longer provides individual code signing
certificates, so there is no way to renew my certificate. In addition
to spending money that I don't have right now (2018 was a very bad year
financially for VirtualGL, TurboVNC, and libjpeg-turbo), the process of
getting on board with another certificate authority is painful enough to
give me pause, particularly given that Java Web Start is now a
deprecated feature. I would like to hear back (off-list is fine) from
any organizations that are currently using Java Web Start with TurboVNC:
1. How many users do you estimate use TurboVNC with Java Web Start
within your organization?
2. Do you re-sign the JAR files using your own certificate or keep them
signed with my certificate?
3. If you currently rely on my certificate, would your deployment
scenario allow you to white-list a self-signed certificate from The
VirtualGL Project? (This would generally involve importing the
certificate on the client side using the Java Control Panel.)
4. Would your company be willing to donate the money to this project
(about US$200) necessary for me to purchase a Comodo individual code
signing certificate for the next two years, thus ensuring that the
TurboVNC JAR files for the 2.2.2 and 3.0.x releases remain signed?
If I don't get feedback on this, my default course of action is going to
be generating a self-signed certificate for The VirtualGL Project, thus
requiring anyone who wishes to continue using TurboVNC with Java Web
Start to white-list our certificate.
DRC
the TurboVNC JAR files for use with Java Web Start expired this week.
Since I used a timestamp authority when signing the JARs, JAR files for
existing releases should continue to work (please let me know if they
don't.)
Unfortunately Thawte no longer provides individual code signing
certificates, so there is no way to renew my certificate. In addition
to spending money that I don't have right now (2018 was a very bad year
financially for VirtualGL, TurboVNC, and libjpeg-turbo), the process of
getting on board with another certificate authority is painful enough to
give me pause, particularly given that Java Web Start is now a
deprecated feature. I would like to hear back (off-list is fine) from
any organizations that are currently using Java Web Start with TurboVNC:
1. How many users do you estimate use TurboVNC with Java Web Start
within your organization?
2. Do you re-sign the JAR files using your own certificate or keep them
signed with my certificate?
3. If you currently rely on my certificate, would your deployment
scenario allow you to white-list a self-signed certificate from The
VirtualGL Project? (This would generally involve importing the
certificate on the client side using the Java Control Panel.)
4. Would your company be willing to donate the money to this project
(about US$200) necessary for me to purchase a Comodo individual code
signing certificate for the next two years, thus ensuring that the
TurboVNC JAR files for the 2.2.2 and 3.0.x releases remain signed?
If I don't get feedback on this, my default course of action is going to
be generating a self-signed certificate for The VirtualGL Project, thus
requiring anyone who wishes to continue using TurboVNC with Java Web
Start to white-list our certificate.
DRC
Torsten Kupke
Feb 15, 2019, 3:55:32 PM2/15/19
to turbovn...@googlegroups.com
Hi DRC,
did your hear about
https://letsencrypt.org/
They provide free certificates since a couple of years. E.g the producer
of my home router uses one for its firmware and web interface.
B.R.
Torsten
did your hear about
https://letsencrypt.org/
They provide free certificates since a couple of years. E.g the producer
of my home router uses one for its firmware and web interface.
B.R.
Torsten
DRC
Feb 15, 2019, 4:22:26 PM2/15/19
to turbovn...@googlegroups.com
I use Let's Encrypt to provide HTTPS on VirtualGL.org, TurboVNC.org, and
libjpeg-turbo.org, but it doesn't appear that they currently or will
ever support code signing:
https://community.letsencrypt.org/t/do-you-support-code-signing/370/4
Code signing means that the CA is signing off on their trust of an
individual developer, which requires that they perform an identity check
and such. I generally have to find a notary public and send a notarized
affidavit (under penalty of perjury) along with photocopies of documents
that prove my citizenship, current residence, and that I'm doing
business as a developer. It's a colossal pain in the butt.
DRC
libjpeg-turbo.org, but it doesn't appear that they currently or will
ever support code signing:
https://community.letsencrypt.org/t/do-you-support-code-signing/370/4
Code signing means that the CA is signing off on their trust of an
individual developer, which requires that they perform an identity check
and such. I generally have to find a notary public and send a notarized
affidavit (under penalty of perjury) along with photocopies of documents
that prove my citizenship, current residence, and that I'm doing
business as a developer. It's a colossal pain in the butt.
DRC
DRC
Feb 15, 2019, 4:39:25 PM2/15/19
to turbovn...@googlegroups.com
Certrum used to provide free code signing certificates for open source
projects, but unfortunately they have stopped doing that. Their base
price for open source code signing appears quite good (25€), but
apparently if you don't have a cryptographic card, they make you
purchase one. That brings the price to 69€, then they charge 15€ in
taxes and 35€ for shipping, which makes the total about US$130--
outrageous for a 1-year code signing cert. Comodo is much less expensive.
DRC
projects, but unfortunately they have stopped doing that. Their base
price for open source code signing appears quite good (25€), but
apparently if you don't have a cryptographic card, they make you
purchase one. That brings the price to 69€, then they charge 15€ in
taxes and 35€ for shipping, which makes the total about US$130--
outrageous for a 1-year code signing cert. Comodo is much less expensive.
DRC
Reply all
Reply to author
Forward
0 new messages