Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
giancarlostoro 6 hours ago

Do people even double check installers are digitally signed? There's so much open source stuff out there that is not digitally signed, most people might not even notice.

tokyobreakfast 6 hours ago | parent | next [-]

Windows has displayed a big scary orange prompt for at least the last decade when it isn't. More like 15-20 years IIRC.

But I'm sure people blindly click through the "Unknown author" prompt just as they would ignore a certificate error.

giancarlostoro 6 hours ago | parent | next [-]

Like I said, theres a LOT of open source projects that show that prompt. Signing an MSI involves having a valid CA certificate, which AFAIK is not free, and goes beyond the budget of most projects.

tokyobreakfast 6 hours ago | parent | next [-]

It's not free but it's not expensive either. Most well known Windows open source projects have them; e.g. PuTTY, Wireguard, VLC, Rufus, etc.

Maybe it's high time for a free-as-in-beer CA for non-profit open source developers funded by donations?

Edit: I was wrong.

Prices on code signing certificates have skyrocketed to in excess of $500/year, due in part to continuing meddling by the CA/B forum which increased the requirements of standard certs to be the same as EV certs, and requiring the key to be stored in a hardware token—which must now be re-issued yearly.

This makes it near impossible to provide free or affordable certificates to developers. Thanks CA/B forum, lots of help as usual.

JohnTHaller 3 hours ago | parent | prev [-]

We're up for renewal with PortableApps.com. The same one year non-EV code signing certificate with a USB token that was US$246 last year is now US$434 from GlobalSign. The lower prices you see some places are for 2+ years.

Note that the certificate itself is only for 1 year regardless of how long you buy one for and you need to go through the renewal process each year just without payment.

rustyhancock 6 hours ago | parent | prev [-]

Orange? It's a blue warning isn't it? Is this how one of us finds out he's colour blind?

fuzzy2 6 hours ago | parent | next [-]

The UAC dialog for unsigned software has an orange or yellow accent. You could be talking about the SmartScreen dialog. There's yet another dialog for executable files downloaded from the internet, which I think has a red shield for unsigned software.

tokyobreakfast 6 hours ago | parent | prev [-]

Blue when it has a valid signature.

Orange when it's missing or invalid.

ozim 5 hours ago | parent | prev [-]

I use winget or homebrew, those tools do so for me and if something doesn't match they show an error.

fuzzy2 an hour ago | parent [-]

Neither WinGet nor Homebrew packages/formulae provide authenticity checks. They have integrity checks for file transfer. That’s it. Where did the file come from when it was entered into the respective repository? No statement.

Whether Authenticode provides a sufficient authenticity check is yet another question, of course. Still, file integrity verification is just a side-effect.