Hrm, think it should be BF CA cert? On Sun, Nov 9, 2014 at 8:36 PM, Martijn Berger <martijn.ber...@gmail.com> wrote:
> Hi Sergey-, > > You mind making a Blender Institute CA if we don't have one. > Ill send you a certificate signing request for a code signing certificate. > So I can make the proof of concept happen. > > Martijn > > > > > On Sun, Nov 9, 2014 at 4:31 PM, Sergey Sharybin <sergey....@gmail.com> > wrote: > > > Sounds like a plan to me. > > > > Do we have volunteers to implement this? :) > > > > On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger <martijn.ber...@gmail.com > > > > wrote: > > > > > Hi everyone. > > > > > > I think this is a great idea. > > > > > > I would like to propose the following steps. > > > > > > 1) We put in place the infrastructure > > > 2) We use a self signed certificate ( blender foundation CA ) to sign > our > > > buildbot builds and installers. > > > 3) We buy / beg an official certificate to the signing. > > > > > > This would allow us to delay spending the money till we can actually > use > > > the certificate. There are no real hurdles to just doing this but lets > > > prove it works first. > > > > > > Martijn > > > > > > > > > On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath <danmcgrath...@gmail.com> > > > wrote: > > > > > > > Hey Ton, > > > > > > > > Well, the cert is just like any other SSL/x.509 certificate you would > > > get, > > > > except the properties of the certificate allow (limit) it to be used > > > > specifically for signing code. You can get certs that can be set to > > only > > > be > > > > used for email, signing or encryption etc. The thing that makes this > > use > > > of > > > > the certificate unique (compared to regular SSL certificates) is that > > you > > > > use special tools on Windows to sign binary files (as opposed to > > > installing > > > > in a web server like we do with SSL). Although given the special > > purpose > > > of > > > > making your software look reputable and legitimate, they (the > industry) > > > of > > > > course demand a premium for the cost of generating these certificates > > > (ie: > > > > they charge you up the wazoo!). Like our EV certificates, I believe > > they > > > > also go through extra identity checks before they just hand one of > > these > > > > certificates over to you. > > > > > > > > Comodo (our certificate provider) offers these certificates as well > if > > > you > > > > are interested (Starting at $166.95/year): > > > > > > > > > > > > > > > > > > > > > > https://www.comodo.com/business-security/code-signing-certificates/code-signing.php > > > > > > > > With one of those, you should be able to follow the steps in the > > > Microsoft > > > > url I pasted earlier to do code signing. I believe you could even > > > generate > > > > your own self signed CA cert and create one of these code signing > > > > certificates to test the tools, but such a certificate would not be > > > trusted > > > > of course, and would only be useful to practice the workflow. > > > > > > > > > > > > Dan > > > > > > > > > > > > On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal <t...@blender.org> > > wrote: > > > > > > > > > Hi, > > > > > > > > > > I don't mind paying a bit, for as long it's an undisputed, official > > > cert > > > > > recommended by Microsoft. > > > > > > > > > > -Ton- > > > > > > > > > > -------------------------------------------------------- > > > > > Ton Roosendaal - t...@blender.org - www.blender.org > > > > > Chairman Blender Foundation - Producer Blender Institute > > > > > Entrepotdok 57A - 1018AD Amsterdam - The Netherlands > > > > > > > > > > > > > > > > > > > > On 6 Nov, 2014, at 15:51, Dan McGrath wrote: > > > > > > > > > > > It sounds like Microsoft calls this "athenticode". I don't have > any > > > > > > personal experience with it myself, but I did find this url at > > > > > Microsoft's > > > > > > website that might be of use to those looking into this: > > > > > > > > > > > > > http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx > > > > > > > > > > > > Dan > > > > > > > > > > > > On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal <t...@blender.org> > > > > wrote: > > > > > > > > > > > >> Hi all, > > > > > >> > > > > > >> For OS X we sign the binary using our Apple developer account. > > > > > >> It seems there's a similar system for Windows exes too. > > > > > >> Please advice! > > > > > >> > > > > > >> (See mail below). > > > > > >> > > > > > >> -Ton- > > > > > >> > > > > > >> -------------------------------------------------------- > > > > > >> Ton Roosendaal - t...@blender.org - www.blender.org > > > > > >> Chairman Blender Foundation - Producer Blender Institute > > > > > >> Entrepotdok 57A - 1018AD Amsterdam - The Netherlands > > > > > >> > > > > > >> > > > > > >> > > > > > >> Begin forwarded message: > > > > > >> > > > > > >>> Subject: Vendor Approval Issue > > > > > >>> Date: 6 November, 2014 14:17:11 CET > > > > > >>> To: foundat...@blender.org > > > > > >>> > > > > > >>> Hi > > > > > >>> > > > > > >>> I have a generic issue that needs addressing so I have > contacted > > > > > >>> this email address in the hope that you can redirect it > > > > > >>> appropriately. > > > > > >>> > > > > > >>> I use Comodo Internet Security Premium which includes a Defense > > > > > >>> Plus element for monitoring running processes. Whilst I have > > > > > >>> approved Blender as a process it refuses to recognise the > Vendor > > as > > > > > >>> the .exe file is not signed and has no developer information so > > it > > > > > >>> will not allow me to add it to the approved list and keeps > > flagging > > > > > >>> it every time I launch Blender. > > > > > >>> > > > > > >>> I am bringing this to your attention as it is annoying and I am > > > > > >>> sure other users are experiencing the same issue and it could > be > > > > > >>> easily resolved but that can only be done by the development > > team. > > > > > >>> > > > > > >>> Trusted Vendors can sign up here to be whitelisted: > > > > > >>> > > > > > >>> http://internetsecurity.comodo.com/trustedvendor/signup.php > > > > > >>> > > > > > >>> Many thanks > > > > > >>> > > > > > >>> Mark > > > > > >>> > > > > > >> > > > > > >> _______________________________________________ > > > > > >> Bf-committers mailing list > > > > > >> Bf-committers@blender.org > > > > > >> http://lists.blender.org/mailman/listinfo/bf-committers > > > > > >> > > > > > > _______________________________________________ > > > > > > Bf-committers mailing list > > > > > > Bf-committers@blender.org > > > > > > http://lists.blender.org/mailman/listinfo/bf-committers > > > > > > > > > > _______________________________________________ > > > > > Bf-committers mailing list > > > > > Bf-committers@blender.org > > > > > http://lists.blender.org/mailman/listinfo/bf-committers > > > > > > > > > _______________________________________________ > > > > Bf-committers mailing list > > > > Bf-committers@blender.org > > > > http://lists.blender.org/mailman/listinfo/bf-committers > > > > > > > _______________________________________________ > > > Bf-committers mailing list > > > Bf-committers@blender.org > > > http://lists.blender.org/mailman/listinfo/bf-committers > > > > > > > > > > > -- > > With best regards, Sergey Sharybin > > _______________________________________________ > > Bf-committers mailing list > > Bf-committers@blender.org > > http://lists.blender.org/mailman/listinfo/bf-committers > > > _______________________________________________ > Bf-committers mailing list > Bf-committers@blender.org > http://lists.blender.org/mailman/listinfo/bf-committers > -- With best regards, Sergey Sharybin _______________________________________________ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers