Re: [Bf-committers] Vendor Approval Issue
Hi everyone. I think this is a great idea. I would like to propose the following steps. 1) We put in place the infrastructure 2) We use a self signed certificate ( blender foundation CA ) to sign our buildbot builds and installers. 3) We buy / beg an official certificate to the signing. This would allow us to delay spending the money till we can actually use the certificate. There are no real hurdles to just doing this but lets prove it works first. Martijn On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath danmcgrath...@gmail.com wrote: Hey Ton, Well, the cert is just like any other SSL/x.509 certificate you would get, except the properties of the certificate allow (limit) it to be used specifically for signing code. You can get certs that can be set to only be used for email, signing or encryption etc. The thing that makes this use of the certificate unique (compared to regular SSL certificates) is that you use special tools on Windows to sign binary files (as opposed to installing in a web server like we do with SSL). Although given the special purpose of making your software look reputable and legitimate, they (the industry) of course demand a premium for the cost of generating these certificates (ie: they charge you up the wazoo!). Like our EV certificates, I believe they also go through extra identity checks before they just hand one of these certificates over to you. Comodo (our certificate provider) offers these certificates as well if you are interested (Starting at $166.95/year): https://www.comodo.com/business-security/code-signing-certificates/code-signing.php With one of those, you should be able to follow the steps in the Microsoft url I pasted earlier to do code signing. I believe you could even generate your own self signed CA cert and create one of these code signing certificates to test the tools, but such a certificate would not be trusted of course, and would only be useful to practice the workflow. Dan On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal t...@blender.org wrote: Hi, I don't mind paying a bit, for as long it's an undisputed, official cert recommended by Microsoft. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Nov, 2014, at 15:51, Dan McGrath wrote: It sounds like Microsoft calls this athenticode. I don't have any personal experience with it myself, but I did find this url at Microsoft's website that might be of use to those looking into this: http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx Dan On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal t...@blender.org wrote: Hi all, For OS X we sign the binary using our Apple developer account. It seems there's a similar system for Windows exes too. Please advice! (See mail below). -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands Begin forwarded message: Subject: Vendor Approval Issue Date: 6 November, 2014 14:17:11 CET To: foundat...@blender.org Hi I have a generic issue that needs addressing so I have contacted this email address in the hope that you can redirect it appropriately. I use Comodo Internet Security Premium which includes a Defense Plus element for monitoring running processes. Whilst I have approved Blender as a process it refuses to recognise the Vendor as the .exe file is not signed and has no developer information so it will not allow me to add it to the approved list and keeps flagging it every time I launch Blender. I am bringing this to your attention as it is annoying and I am sure other users are experiencing the same issue and it could be easily resolved but that can only be done by the development team. Trusted Vendors can sign up here to be whitelisted: http://internetsecurity.comodo.com/trustedvendor/signup.php Many thanks Mark ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org
Re: [Bf-committers] Vendor Approval Issue
Sounds like a plan to me. Do we have volunteers to implement this? :) On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger martijn.ber...@gmail.com wrote: Hi everyone. I think this is a great idea. I would like to propose the following steps. 1) We put in place the infrastructure 2) We use a self signed certificate ( blender foundation CA ) to sign our buildbot builds and installers. 3) We buy / beg an official certificate to the signing. This would allow us to delay spending the money till we can actually use the certificate. There are no real hurdles to just doing this but lets prove it works first. Martijn On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath danmcgrath...@gmail.com wrote: Hey Ton, Well, the cert is just like any other SSL/x.509 certificate you would get, except the properties of the certificate allow (limit) it to be used specifically for signing code. You can get certs that can be set to only be used for email, signing or encryption etc. The thing that makes this use of the certificate unique (compared to regular SSL certificates) is that you use special tools on Windows to sign binary files (as opposed to installing in a web server like we do with SSL). Although given the special purpose of making your software look reputable and legitimate, they (the industry) of course demand a premium for the cost of generating these certificates (ie: they charge you up the wazoo!). Like our EV certificates, I believe they also go through extra identity checks before they just hand one of these certificates over to you. Comodo (our certificate provider) offers these certificates as well if you are interested (Starting at $166.95/year): https://www.comodo.com/business-security/code-signing-certificates/code-signing.php With one of those, you should be able to follow the steps in the Microsoft url I pasted earlier to do code signing. I believe you could even generate your own self signed CA cert and create one of these code signing certificates to test the tools, but such a certificate would not be trusted of course, and would only be useful to practice the workflow. Dan On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal t...@blender.org wrote: Hi, I don't mind paying a bit, for as long it's an undisputed, official cert recommended by Microsoft. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Nov, 2014, at 15:51, Dan McGrath wrote: It sounds like Microsoft calls this athenticode. I don't have any personal experience with it myself, but I did find this url at Microsoft's website that might be of use to those looking into this: http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx Dan On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal t...@blender.org wrote: Hi all, For OS X we sign the binary using our Apple developer account. It seems there's a similar system for Windows exes too. Please advice! (See mail below). -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands Begin forwarded message: Subject: Vendor Approval Issue Date: 6 November, 2014 14:17:11 CET To: foundat...@blender.org Hi I have a generic issue that needs addressing so I have contacted this email address in the hope that you can redirect it appropriately. I use Comodo Internet Security Premium which includes a Defense Plus element for monitoring running processes. Whilst I have approved Blender as a process it refuses to recognise the Vendor as the .exe file is not signed and has no developer information so it will not allow me to add it to the approved list and keeps flagging it every time I launch Blender. I am bringing this to your attention as it is annoying and I am sure other users are experiencing the same issue and it could be easily resolved but that can only be done by the development team. Trusted Vendors can sign up here to be whitelisted: http://internetsecurity.comodo.com/trustedvendor/signup.php Many thanks Mark ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Vendor Approval Issue
Hi Sergey-, You mind making a Blender Institute CA if we don't have one. Ill send you a certificate signing request for a code signing certificate. So I can make the proof of concept happen. Martijn On Sun, Nov 9, 2014 at 4:31 PM, Sergey Sharybin sergey@gmail.com wrote: Sounds like a plan to me. Do we have volunteers to implement this? :) On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger martijn.ber...@gmail.com wrote: Hi everyone. I think this is a great idea. I would like to propose the following steps. 1) We put in place the infrastructure 2) We use a self signed certificate ( blender foundation CA ) to sign our buildbot builds and installers. 3) We buy / beg an official certificate to the signing. This would allow us to delay spending the money till we can actually use the certificate. There are no real hurdles to just doing this but lets prove it works first. Martijn On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath danmcgrath...@gmail.com wrote: Hey Ton, Well, the cert is just like any other SSL/x.509 certificate you would get, except the properties of the certificate allow (limit) it to be used specifically for signing code. You can get certs that can be set to only be used for email, signing or encryption etc. The thing that makes this use of the certificate unique (compared to regular SSL certificates) is that you use special tools on Windows to sign binary files (as opposed to installing in a web server like we do with SSL). Although given the special purpose of making your software look reputable and legitimate, they (the industry) of course demand a premium for the cost of generating these certificates (ie: they charge you up the wazoo!). Like our EV certificates, I believe they also go through extra identity checks before they just hand one of these certificates over to you. Comodo (our certificate provider) offers these certificates as well if you are interested (Starting at $166.95/year): https://www.comodo.com/business-security/code-signing-certificates/code-signing.php With one of those, you should be able to follow the steps in the Microsoft url I pasted earlier to do code signing. I believe you could even generate your own self signed CA cert and create one of these code signing certificates to test the tools, but such a certificate would not be trusted of course, and would only be useful to practice the workflow. Dan On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal t...@blender.org wrote: Hi, I don't mind paying a bit, for as long it's an undisputed, official cert recommended by Microsoft. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Nov, 2014, at 15:51, Dan McGrath wrote: It sounds like Microsoft calls this athenticode. I don't have any personal experience with it myself, but I did find this url at Microsoft's website that might be of use to those looking into this: http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx Dan On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal t...@blender.org wrote: Hi all, For OS X we sign the binary using our Apple developer account. It seems there's a similar system for Windows exes too. Please advice! (See mail below). -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands Begin forwarded message: Subject: Vendor Approval Issue Date: 6 November, 2014 14:17:11 CET To: foundat...@blender.org Hi I have a generic issue that needs addressing so I have contacted this email address in the hope that you can redirect it appropriately. I use Comodo Internet Security Premium which includes a Defense Plus element for monitoring running processes. Whilst I have approved Blender as a process it refuses to recognise the Vendor as the .exe file is not signed and has no developer information so it will not allow me to add it to the approved list and keeps flagging it every time I launch Blender. I am bringing this to your attention as it is annoying and I am sure other users are experiencing the same issue and it could be easily resolved but that can only be done by the development team. Trusted Vendors can sign up here to be whitelisted:
Re: [Bf-committers] Vendor Approval Issue
Hrm, think it should be BF CA cert? On Sun, Nov 9, 2014 at 8:36 PM, Martijn Berger martijn.ber...@gmail.com wrote: Hi Sergey-, You mind making a Blender Institute CA if we don't have one. Ill send you a certificate signing request for a code signing certificate. So I can make the proof of concept happen. Martijn On Sun, Nov 9, 2014 at 4:31 PM, Sergey Sharybin sergey@gmail.com wrote: Sounds like a plan to me. Do we have volunteers to implement this? :) On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger martijn.ber...@gmail.com wrote: Hi everyone. I think this is a great idea. I would like to propose the following steps. 1) We put in place the infrastructure 2) We use a self signed certificate ( blender foundation CA ) to sign our buildbot builds and installers. 3) We buy / beg an official certificate to the signing. This would allow us to delay spending the money till we can actually use the certificate. There are no real hurdles to just doing this but lets prove it works first. Martijn On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath danmcgrath...@gmail.com wrote: Hey Ton, Well, the cert is just like any other SSL/x.509 certificate you would get, except the properties of the certificate allow (limit) it to be used specifically for signing code. You can get certs that can be set to only be used for email, signing or encryption etc. The thing that makes this use of the certificate unique (compared to regular SSL certificates) is that you use special tools on Windows to sign binary files (as opposed to installing in a web server like we do with SSL). Although given the special purpose of making your software look reputable and legitimate, they (the industry) of course demand a premium for the cost of generating these certificates (ie: they charge you up the wazoo!). Like our EV certificates, I believe they also go through extra identity checks before they just hand one of these certificates over to you. Comodo (our certificate provider) offers these certificates as well if you are interested (Starting at $166.95/year): https://www.comodo.com/business-security/code-signing-certificates/code-signing.php With one of those, you should be able to follow the steps in the Microsoft url I pasted earlier to do code signing. I believe you could even generate your own self signed CA cert and create one of these code signing certificates to test the tools, but such a certificate would not be trusted of course, and would only be useful to practice the workflow. Dan On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal t...@blender.org wrote: Hi, I don't mind paying a bit, for as long it's an undisputed, official cert recommended by Microsoft. -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands On 6 Nov, 2014, at 15:51, Dan McGrath wrote: It sounds like Microsoft calls this athenticode. I don't have any personal experience with it myself, but I did find this url at Microsoft's website that might be of use to those looking into this: http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx Dan On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal t...@blender.org wrote: Hi all, For OS X we sign the binary using our Apple developer account. It seems there's a similar system for Windows exes too. Please advice! (See mail below). -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands Begin forwarded message: Subject: Vendor Approval Issue Date: 6 November, 2014 14:17:11 CET To: foundat...@blender.org Hi I have a generic issue that needs addressing so I have contacted this email address in the hope that you can redirect it appropriately. I use Comodo Internet Security Premium which includes a Defense Plus element for monitoring running processes. Whilst I have approved Blender as a process it refuses to recognise the Vendor as the .exe file is not signed and has no developer information so it will not allow me to add it to the approved list and keeps flagging it every time I launch Blender. I am bringing this to your
[Bf-committers] Blender developers meeting, November 9, 2014
Hi all, Here are notes for today's meeting in irc.freenode.net #blendercoders 1) Projects for the next release - The projects and planning for the upcoming 2.73 release: http://wiki.blender.org/index.php/Dev:Doc/Projects - Bastien Montange: Mesh transfer can be put back as a release target, it better gets done before we add the 'Split normal' patch. http://wiki.blender.org/index.php/User:Mont29/Foundation/Data_Transfer/Data_Transfer_Manual - The patch for the Chinese/Asian complex character input has been assigned to Julian Eisel, added as release target. 2) Other Projects - Sergey Sharybin wrote an anylisis and project proposal for Dependency Graph work http://wiki.blender.org/index.php/User:Nazg-gul/DependencyGraph - Other development work as part of project Gooseberry can be readon the http://gooseberry.blender.org website. This includes: Hair sim using volumes, Alembic caching, Viewport upgrades, asset managing. - Martijn Berger will send a proposal for signing Windows .exe distributions. - Julian is almost done with fixing up the event system to allow (better) handling for sticky key handling, double clicks, etc. Will be proposed for review soon. - Please check the bf-gamedev list for a review of new or open topics to handle for gamer-artist related development. http://lists.blender.org/mailman/listinfo/bf-gamedev Thanks, -Ton- Ton Roosendaal - t...@blender.org - www.blender.org Chairman Blender Foundation - Producer Blender Institute Entrepotdok 57A - 1018AD Amsterdam - The Netherlands ___ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers