[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Code Signing for LilyPond executables (WAS: LilyPond 2.23.81 on lilypond

From: Karlin High
Subject: Code Signing for LilyPond executables (WAS: LilyPond 2.23.81 on lilypond-user)
Date: Tue, 15 Nov 2022 18:22:18 -0600
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0

> Continuing a lilypond-user discussion on code signing for LilyPond executables, in hopes of pacifying security software.

On 16/11/2022 7:55 am, Karlin High wrote:
On 11/15/2022 2:30 PM, Jonas Hahnfeld via Discussions on LilyPond development wrote:
b) whether we would need to buy a certificate for that.

I think the answer is "yes, need to buy certificate."

And even that is no guarantee of executables not getting flagged after downloads, UNLESS there is a large and powerful outfit behind the signature that the security companies wish to avoid angering.


If a certificate WAS pursed, with macOS having the greatest need I expect, it looks like it would need contact info and a mailing address. That is where I stopped research, having no idea what would be used there.

On 11/15/2022 5:40 PM, Andrew Bernard wrote:
I have never had a Windows app certified, but I don't think there is any cost associated with it, it's just a process at Microsoft. This sort of signing in not a TLS certificate possibly involving cost (though most people use Let's Encrypt now).

This is a page from Microsoft. I think it's outdated but the principles would remain roughly the same.

If there is any interest I'd be happy to investigate this more seriously. perhaps this should be on the devel list?


A code signing certificate is not the same thing as a TLS certificate. Perhaps the difference would mostly be marketing and the nature of assurance assertions from the provider.

Step 3 at the windows-certification-portal link includes "Get a code signing certificate."

That leads to this page with 7 different options for certificate providers:


I am seeing annual prices from 129 to over 500 USD. Depending on what options are included, such as Extended Validation certificates and Hardware Security Modules for protecting the signing.

I am dim on what Extended Validation all involves. But I have in mind it includes verifying that the entity buying the certificate has a legitimate existence. For LilyPond, that entity would be... the main developer listed in GNU projects? The Free Software Foundation? Something else?

Maybe skip Extended Validation then.

But then some providers list "Immediate reputation with Microsoft SmartScreen Filter" as a selling point for Extended Validation.

Which I guess would fall back to having new executables still getting flagged, and having someone immediately respond with a request to have the fresh EXE file marked as trusted. The times I've done this to aid small developers I trust who have just published new code, Microsoft goes through a routine of "Who are you, anyway? Are you the publisher?" I guess trying to make sure I am not a malware distributor trying to get their latest evil scheme pre-approved with security software somehow.

Those very cautious could just wait a week or two for all that to settle before downloading and running. Eventually security software catches on.

For Apple's macOS world, things are far different yet. Possible starting point:

Karlin High
Missouri, USA

reply via email to

[Prev in Thread] Current Thread [Next in Thread]