zlacker

Code signing certs are unfortunately expensive

replies(3): >>firest+S1 >>1una+ap >>Chaosv+Z3b

>>adzm+(OP)
$700+ at Sectigo for two years

Something of Notepad++ size might think about it now

replies(2): >>abeyer+Wa >>hjoutf+go

>>firest+S1
"of Notepad++ size" is basically one guy in his free time, no?

replies(1): >>eviks+Xd

>>abeyer+Wa
"But look at those downloads, they magically print money"

replies(1): >>firest+On

>>eviks+Xd
Notepad++ is Windows-based and could use the Windows store instead of the built in updater. Microsoft charges a one time fee. It would pass SmartScreen checks. His website has a bunch of ads integrated which I assume are there to help pay for hosting.

Mr. Ho already has hosting charges and he uses GitHub. For those who use GitHub, he could continue his GnuPG method for signing. Additionally, GitHub integrates with Sigstore. Windows wouldn’t trust his signature but at least there would be better traceability. Version 8.8.7 labeled “authenticity guaranteed” is a step in that direction.

The real “issue” here was his outside hosting platform for updates from my reading of the article.

>>firest+S1
the issue was not the money, but that it was difficult to get a certificate without having some sort of legal entity

replies(3): >>firest+rp >>anonno+ty3 >>Chaosv+m4b

>>adzm+(OP)
$0 at SignPath. Quite a few OSS projects use it.

>>hjoutf+go
Certum.eu has this figured out.

https://support.certum.eu/en/code-signing-required-documents...

https://shop.certum.eu/open-source-code-signing-on-simplysig...

$49 (EU) Gross

>>hjoutf+go
Delaware LLCs are "cheap," but you're still looking at $300-500 a year in fees.

>>adzm+(OP)
You don't even need a certificate to prevent update tampering like this. The updates could have shipped with an ECDSA signature and this wouldn't have happened. It's also free and doable in an afternoon.

>>hjoutf+go
It was negligence. You don't need a certificate to prevent update tampering.