[Bug 766715] New: Signing the distribution on Windows & Mac

[GStreamer (GNOME Bugzilla)]

https://bugzilla.gnome.org/show_bug.cgi?id=766715

            Bug ID: 766715
           Summary: Signing the distribution on Windows & Mac
    Classification: Platform
           Product: GStreamer
           Version: unspecified
                OS: Windows
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: common
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: andy at seventhstring.com
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

(I've marked this bug as OS:Windows. It is really Windows and Mac but there's
no way of indicating that).

Is there any interest in signing the distributions for Windows and Mac? It
certainly seems to me that the current absence of signatures must be a
significant obstacle to the adoption of GStreamer on these two platforms which
between them account for the vast majority of all desktop computers.

At present on Windows 10 32-bit I download gstreamer-1.0-x86-1.8.1.msi and when
I try to run it I get (actually this is the Win7 message but the Win10 message
is similar):
   "The publisher could not be verified.
   Are you sure you want to run this software?".

On Mac OS 10.10 with default security settings I get:
   "gstreamer-1.0-1.8.1-x86_64.pkg" can't be opened because
   it is from an unidentified developer.
   Your security preferences allow installation of only
   apps from the Mac App Store and identified developers.
The Mac doesn't allow the option of installing at all.

This will prevent many Windows users and practically all Mac users from
installing it. I might be exaggerating slightly, but I would say that these
days it is hardly worth producing Windows and Mac distributions at all if they
are not signed.

Once the signing certificates are obtained then it's just one more step in the
build script. I'm happy to help if I can though it seems to me the certificates
should be owned and applied by the GStreamer organization, or by the person who
builds the distribution packages. In particular I would be happy to pay the
costs, which AFAIK would be something like $99 per year to be a member of the
Apple Developer program and I currently pay around $400 per year for an
authenticode certificate from Symantec, for Windows signing.

Obviously there is some self interest here on my part : the next release of my
company's main product will not *require* GStreamer but I will be encouraging
users to install it to add certain features (e.g. video, and more audio file
formats).

Mac: I don't think there are identity checks and they have the concept of
developer teams allowing more than one person to be able to sign.

Windows: you need to go through the procedure of ordering and collecting the
certificate using the same browser and machine throughout - and I found it has
to be IE not Edge. But once you have the certificate you can move the pfx file
to a different machine and use it there. Of course, as soon as you send the pfx
in an unencrypted email then it could potentially be leaked. There are also
identity checks before the certificate is issued, depending on the certificate
provider's procedures.

It is all a bit tedious and tricksy to get it set up. If the GStreamer people
who prepare the Windows & Mac distributions want to do this then as I've said I
would be happy to pay the cost, and this would be the right way to do it, with
certificates issued to the GStreamer organisation. But I don't know if you have
the time and the desire to make this happen.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.