Code signing certificate for KDE?

Ben Cooksley bcooksley at kde.org
Fri Aug 18 08:33:49 BST 2017


On Fri, Aug 18, 2017 at 6:54 PM, Boudewijn Rempt <boud at valdyas.org> wrote:
> yn Thu, 17 Aug 2017, Albert Astals Cid wrote:
>
>> El dijous, 17 d’agost de 2017, a les 22:57:47 CEST, Boudewijn Rempt va
>> escriure:
>> > On Thu, 17 Aug 2017, Albert Astals Cid wrote:
>> > > El dimecres, 16 d’agost de 2017, a les 11:40:33 CEST, Boudewijn Rempt va
>> > >
>> > > escriure:
>> > > > Here's yet another topic: for the past year, I've been signing Krita
>> > > > for Windows with a certificate from certum.eu. These certificates are
>> > > > personal, so krita gets signed by "open source developer boudewijn
>> > > > rempt".
>> > > >
>> > > > That's not ideal,
>> > >
>> > > What is the downside?
>> > >
>> > > I mean does "open source developer boudewijn rempt" show up somewhere in
>> > > the UI?
>> >
>> > Yes, it's what windows shows when installing the application.
>>
>> Ok, then i guess yes, we should get one.
>>
>> What kind of certificate is needed?
>
> Something lke this: https://www.digicert.com/code-signing/ (though there are
> many companies that sell them, and it might be more convenient to pick a
> German one).

DigiCert would be a reasonably good CA to choose for getting this
certificate as they've not had any problems with CA security.
I'd suggest avoiding Symantec given the recent public execution
they've been given and issues they've had in the past.

Please remember that we need this authority to remain accepted for the
life of our binaries.

The authority also needs to issue us with a certificate which supports
timestamping, otherwise all binaries we sign with the certificate will
become unusable when the certificate expires.

Cheers,
Ben

>
>
> --
> Boudewijn Rempt | http://www.krita.org, http://www.valdyas.org



More information about the kde-community mailing list