Flameshot: Please consider making digital signatures on built Windows .msi files

I've actually started looking into this. Thanks for the suggestion!

Okay after further research this can be very expensive to maintain unless we provide our own certificates. It also does not provide any real extra security compared to our posted SHA256 or creating our own certs.

The best price I found was certum but there are some drawbacks:

• Must use a smart card provided with certum. This means I will be the only person with physical access.
• Must pay for smart card upfront ~ 70euro. I cannot use my Yubikey for this
• Yearly 25euro fee.

My preference would be to create our own certificate which is equally secure, but requires the user to install a certificate created by us. I will keep this certificate on a spare yubikey so it has the same level of private key protection. We could also create 2 Yubikeys and mail one to a backup person.

Asking users to install a certificate might be too bothersome. I believe the most important thing would be preventing Windows Defender (on Windows 10) from blocking the installation by default (and the "OK" button is hidden unless you check out advanced options), which greatly harms user experience.

I took a look at other open source projects with a Windows version like Vim. Vim provided a .exe installer and it will not trigger Windows Defender to block its installation; there would only be a confirmation window popping up asking whether to allow this program of unknown origin to modify your system (with the "OK" button shown). That would be good enough.

Looks like vim uses a company called sign path. Ill reach out to them to see if they will support our project.

@hosiet @mmahmoudian @ZetaoYang Any concerns with these terms and conditions: https://github.com/SignPath/Website-old/blob/v2/src/drafts/oss_policy.md

They agreed to sponsor this project as long as we agree with the terms. It all looks good to me.

The only part that I'm not comfortable with is:

The code signing certificate is issued to SignPath Foundation. This means that SignPath Foundation is the publisher of the OSS project.

SignPath Foundation will therefore define and execute technical constraints and require project members to follow certain rules.

The parts that make me uncomfortable are:

1. What is the definition of "publisher"?
2. They can impose constraints but there is zero mention of these "certain rules" (note that they didn't way "following rules" or didn't provide a link to a page that defines the rules in a clear form), and zero mention of if the rules change will they inform us or we are expected to check them frequently.

My point is the constraints mentioned in that .md file make sense, but if there is more to it that is not explained there, then ... . They were not clear about a finite set of rules. Also I don't understand the significance of the word "publisher".

@mmahmoudian

Publisher in this context means when you install via the .exe it will list "SignPath" as the publisher of the application. This is required since their foundation owns the certificate.

Ok, then the only question left is to what exactly are the constraints. Some of them (or perhaps all of them) are listed in that .md file but we should confirm if those are all we should comply.

The next step is to get integrated with appveyor. I reached out to Lupo to give me permissions to do that. I currently am not able to.

@lupoDharkael Could you please promote me to owner so I can adjust 3rd party integrations? That is blocking this from completion. We can discuss on Slack if you prefer.

@hosiet @mmahmoudian @ZetaoYang Any concerns with these terms and conditions: https://github.com/SignPath/Website-old/blob/v2/src/drafts/oss_policy.md

They agreed to sponsor this project as long as we agree with the terms. It all looks good to me.

There is a case,

https://github.com/gitextensions/gitextensions/issues/7738

I am very close to having this finished. I am proposing we only release and sign 64bit versions to reduce the number of artifacts that need to be signed. I plan to sign the standalone zip/exe and the msi installer.