Signing the distribution on Windows & Mac
Sebastian Dröge
sebastian at centricular.com
Fri May 20 08:39:00 UTC 2016
On Do, 2016-05-19 at 12:33 +0100, Andy Robinson wrote:
> Is there any interest in signing the distributions for Windows and Mac?
> It certainly seems to me that the current absence of signatures must be
> a significant obstacle to the adoption of GStreamer on these two
> platforms which between them account for the vast majority of all
> desktop computers.
>
> At present on Windows 10 32-bit I download gstreamer-1.0-x86-1.8.1.msi
> and when I try to run it I get
> "The publisher could not be verified.
> Are you sure you want to run this software?".
>
> On Mac OS 10.10 with default security settings I get
> "gstreamer-1.0-1.8.1-x86_64.pkg" can't be opened because
> it is from an unidentified developer.
> Your security preferences allow installation of only
> apps from the Mac App Store and identified developers.
> The Mac doesn't allow the option of installing at all.
>
> This will prevent many Windows users and practically all Mac users from
> installing it. I might be exaggerating slightly, but I would say that
> these days it is hardly worth producing Windows and Mac distributions at
> all if they are not signed.
>
> Once the signing certificates are obtained then it's just one more step
> in the build script. I'm happy to help if I can though it seems to me
> the certificates should be owned and applied by the GStreamer
> organization, or by the person who builds the distribution packages. In
> particular I would be happy to pay the costs, which AFAIK would be
> something like $99 per year to be a member of the Apple Developer
> program and I currently pay around $400 per year for an authenticode
> certificate from Symantec, for Windows signing.
>
> Obviously there is some self interest here on my part : the next release
> of my company's main product will not *require* GStreamer but I will be
> encouraging users to install it to add certain features (e.g. video, and
> more audio file formats).
The main problem here seems to be that the keys for the signature need
to be available to whoever is building the binaries. Is it easily
possible to share these keys?
Can you file a bug about this at
https://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer
--
Sebastian Dröge, Centricular Ltd · http://www.centricular.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/gstreamer-devel/attachments/20160520/45e57997/attachment.sig>
More information about the gstreamer-devel
mailing list