Signing the distribution on Windows & Mac

Andy Robinson andy at seventhstring.com
Fri May 20 10:33:49 UTC 2016 

On 20/05/16 10:44, Jérôme Laheurte wrote:
>
>> Le 20 mai 2016 à 10:43, Sebastian Dröge <sebastian at centricular.com> a écrit :
>>
>> On Fr, 2016-05-20 at 11:41 +0300, Kyrylo Polezhaiev wrote:
>>> but obviously that defeats the point of using keys in the first place
>>> :-)
>>
>> We could share them privately among the project members I guess.
>
> My 2 cents: the Mac developer program has a concept of « team » for sharing certificates, but
each team member must be registered, so the cost bumps up to 99$ per 
developer per year. For
Windows certificates, last time I had the dubious honor of having to get 
one, the process was
a bit of a pain in the ass; you must use a specific version of IE, 
install various components,
and use the exact same computer to renew it later; I’m not even sure 
there’s a way to « export »
it to sign executables on a different machine, but I didn’t look long…
>
> Best regards
> Jérôme

You're right about Mac teams - I would guess that there isn't an 
enormous number of GStreamer developers who would need to be able to 
sign a Mac distribution (2 or 3?) so the cost would not be prohibitive.

As for Windows, yes you need to go through the procedure of ordering and 
collecting the certificate using the same browser and machine throughout 
- and I found it has to be IE not Edge. But once you have the 
certificate you can move the pfx file to a different machine and use it 
there. Of course, as soon as you send the pfx in an unencrypted email 
then it could potentially be leaked. There are also identity checks 
before the certificate is issued, depending on the certificate 
provider's procedures.

It is all a bit tedious and tricksy to get it set up. If the GStreamer 
people who prepare the Windows & Mac distributions want to do this then 
as I've said I would be happy to pay the cost, and this would be the 
right way to do it, with certificates issued to the GStreamer 
organisation. But I don't know if you have the time and the desire to 
make this happen.

If not then I guess my backup solution would be to sign the relevant 
installers myself and distribute them directly to my users.

Regards,
Andy Robinson, Seventh String Software, www.seventhstring.com

More information about the gstreamer-devel mailing list