On 3/26/12 5:09 PM, Rob Weir wrote:
On Mon, Mar 26, 2012 at 9:32 AM, Jürgen Schmidt
<jogischm...@googlemail.com>wrote:
On 3/23/12 7:25 AM, lou ql wrote:
on Windows 7, when I double-click the package to install, a User Account
Control message will appear and the publisher is "Unknown", will this be
fixed at the final version?
good question where I don't have an answer yet. We have to discuss this
with legal and/or with our mentors.
I think we will need a trustful certificate that is accepted and where we
(or at least one person providing the binary Windows builds) has access to
the private information ...
I don't know if such a certificate already exists and if a process to use
it is in an appropriate and secure way exists as well.
There was a mention of this a few weeks ago, that some at Apache were
exploring the possibility of having code signing certificates for Apache
releases. This was in the thread where we were discussing the anti-virus
warnings about the 3.4 dev builds. But there was no indication of time
frame.
Looking at the Verisign website, it looks like a 1-year "Authenticode"
certificate costs *$499. *
And I assume that signing an EXE or MSI with a cert would break our
detached PGP signature. So how we would integrate code signing with
release procedures is an interesting question. Ditto for how we would
protect our signing key. I assume we would not want want 90 PPMC members
to have access to it.
We sign the downloadable archives. That means signing the exe, msi with
a cert before we build the archive should be ok.
I know that we did some sophisticated 2 step signing where we signed
dlls (IE plugins) first and included this signed dlls. The whole setup
package was signed again.
The question is more if we can get such an official cert and how we can
use it.
Any ideas how we can drive this important question forward.
Juergen
@our mentors: can you provide any information or advice how we can address
this issue?
I assuem it will become even more important for Windows 8.
Juergen
