Code Signing for LilyPond executables (WAS: LilyPond 2.23.81 on lilypond-user)

[Karlin High]

> Continuing a lilypond-user discussion on code signing for LilyPond 
executables, in hopes of pacifying security software.

> On 16/11/2022 7:55 am, Karlin High wrote:
> > On 11/15/2022 2:30 PM, Jonas Hahnfeld via Discussions on LilyPond 
> > development wrote:
> > > b) whether we would need to buy a certificate for that.
> >
> > I think the answer is "yes, need to buy certificate."
> >
> > And even that is no guarantee of executables not getting flagged after 
> > downloads, UNLESS there is a large and powerful outfit behind the 
> > signature that the security companies wish to avoid angering.
> >
> > <http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/> 
> >
> >
> > If a certificate WAS pursed, with macOS having the greatest need I 
> > expect, it looks like it would need contact info and a mailing 
> > address. That is where I stopped research, having no idea what would 
> > be used there.
>
> On 11/15/2022 5:40 PM, Andrew Bernard wrote:
> I have never had a Windows app certified, but I don't think there is any 
> cost associated with it, it's just a process at Microsoft. This sort of 
> signing in not a TLS certificate possibly involving cost (though most 
> people use Let's Encrypt now).
>
> This is a page from Microsoft. I think it's outdated but the principles 
> would remain roughly the same.
>
> https://learn.microsoft.com/en-us/windows/win32/win_cert/windows-certification-portal 
>
>
>
> If there is any interest I'd be happy to investigate this more 
> seriously. perhaps this should be on the devel list?
>
>
> Andrew 

A code signing certificate is not the same thing as a TLS certificate. 
Perhaps the difference would mostly be marketing and the nature of 
assurance assertions from the provider.

Step 3 at the windows-certification-portal link includes "Get a code 
signing certificate."

That leads to this page with 7 different options for certificate providers:

<https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage>

I am seeing annual prices from 129 to over 500 USD. Depending on what 
options are included, such as Extended Validation certificates and 
Hardware Security Modules for protecting the signing.

I am dim on what Extended Validation all involves. But I have in mind it 
includes verifying that the entity buying the certificate has a 
legitimate existence. For LilyPond, that entity would be... the main 
developer listed in GNU projects? The Free Software Foundation? 
Something else?

Maybe skip Extended Validation then.

But then some providers list "Immediate reputation with Microsoft 
SmartScreen Filter" as a selling point for Extended Validation.

Which I guess would fall back to having new executables still getting 
flagged, and having someone immediately respond with a request to have 
the fresh EXE file marked as trusted. The times I've done this to aid 
small developers I trust who have just published new code, Microsoft 
goes through a routine of "Who are you, anyway? Are you the publisher?" 
I guess trying to make sure I am not a malware distributor trying to get 
their latest evil scheme pre-approved with security software somehow.

Those very cautious could just wait a week or two for all that to settle 
before downloading and running. Eventually security software catches on.

For Apple's macOS world, things are far different yet. Possible starting 
point:

<https://developer.apple.com/support/certificates/>
--
Karlin High
Missouri, USA