eht16 left a comment (geany/geany#4238) Nice to hear you made progess with CherryTree.
I think changing the installer software for the next release is too much work and too few time for testing. So, I guess we need to postpone it anyway. How does it work in detail? We would send the installer binary to SignPath, they extract it (provided it is .msi), sign the included binaries, repack it and sign the installer as well? If so, we had to fully trust SignPath to not add or modify anything in the installer, not now and not in the future. Maybe it's just me but we had bad experiences with SourceForge in the past when they added advertising and (I think) spyware to installers. In that case, they should only host the files and not modify them in any way, though they did. I wonder if it's worth the risk and how aggressive Microsoft really will be regarding code signing enforcement. If I got it right, having our binaries properly signed still would not be enough for Microsoft's plans if the MSYS2 binaries won't be signed as well? I'm also interested what the others think, @b4n @techee? -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/pull/4238#issuecomment-2952740640 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany/pull/4238/[email protected]>
