We need a signing certificate (SLL?) for this, InstantSSL costs $179 / year. We could apply for grants from WMF and local chapters. I was also linked to https://en.sklep.unizeto.pl/data-safety/code-signing-certificates/open-source-code-signing.html which is for open source, and is only €14.

If you're willing to wait until September, Let's Encrypt will give you certificates for free.

In T105560#1447490, @MrStradivarius wrote:

If you're willing to wait until September, Let's Encrypt will give you certificates for free.

For code signing?

Huggle is open source, both Microsoft and Apple are enforcing weird policies that are basically just forcing developers to pay huge money either directly to MS or Apple just so that they can publish the software "right way". For same reason huggle isn't on apple market. I don't really see a point in having to pay money in order to distribute free software to others. Applying for a grant, so that I could take money from people who supported wikimedia as a free movement and give these money to huge corporations who are draining money from everyone, including freeware developers doesn't look as a good idea to me. Should there be a free service that provides this, we can use it, but until then, this isn't anything that can be easily solved.

For code signing?

I'm not sure - I've never had to set up a certificate for anything yet. If it's not obvious from the website, then probably not.

Code signing usually works in the way that you have a public and private keys (or certificates), distribute the public key to a key server and sign the binary packages with the private one, so that it can be verified that binary package really comes from you and not some hacker who did something evil.

You don't really need a certificate from certificate authority for this, there is absolutely no point in that as long as there is some sort of certificate server you can upload your public key to. For example both debian and ubuntu allow signing with certificates you create yourself on your pc. It's just Micro$$oft that requires commercial certificates that cost money. Both are same effective just the later is expensive.

Huggle packages for ubuntu are signed and it works. With a certificate that is located on our build server and which I freely generated there. If Microsoft can't do this, it's their problem.

In T105560#1447490, @MrStradivarius wrote:

If you're willing to wait until September, Let's Encrypt will give you certificates for free.

Let's encrypt is just for website SSL certs.

In T105560#1460312, @Petrb wrote:

Huggle packages for ubuntu are signed and it works. With a certificate that is located on our build server and which I freely generated there. If Microsoft can't do this, it's their problem.

Yes, if and only if the user installs your public key. The same is of course possible in Windows, and (as in Linux) requires an administrator to load the key in the key store.

Unizeto used to provide free certificates, but now charges a small (€18) fee. For that fee, they check your identity (so it covers their actual costs). Note that the publisher field would then not be 'Huggle', but e.g. 'Petr Bena - Open Source Developer'.

Let's decline this?

Oh hey, thanks :)

Side note: Let's Encrypt, now that it is actually an active project handing out certificates, does explicitly not offer code signing certificates.

https://community.letsencrypt.org/t/do-you-support-code-signing/370

I think requesting a grant (e.g. through https://meta.wikimedia.org/wiki/Grants:Project/Rapid) is probably the easiest in terms of documented process. Unfortuately rapid grants are closed for another month, but it seems you can still submit a proposal. I would suggest proposing a three year certificate due to the overhead involved.

A lower overhead alternative could be asking your local chapter. Generally local chapters can more easily 'just pay' for these kinds of things. This does require you to have some contacts in the chapter organisation to be efficient.

In T105560#4234867, @valhallasw wrote:

I think requesting a grant (e.g. through https://meta.wikimedia.org/wiki/Grants:Project/Rapid) is probably the easiest in terms of documented process. Unfortuately rapid grants are closed for another month, but it seems you can still submit a proposal. I would suggest proposing a three year certificate due to the overhead involved.

A lower overhead alternative could be asking your local chapter. Generally local chapters can more easily 'just pay' for these kinds of things. This does require you to have some contacts in the chapter organisation to be efficient.

There is no "local chapter" for Huggle. It's a global tool, primarily originating from English wikipedia. I am myself not a member of any chapter either. If anyone should fund this it should be either WMF or crowd-collected by Huggle users.

I found this site which is one of few that actually display the price of signing key: https://www.globalsign.com/en/code-signing-certificate/

It's $600 for 3 years (worse option) or $950 for 3 years (better option), not sure if we need better option, I don't think so. Anyway it seems that be way more expensive than 20EUR

Question is if we really need such a feature if it really is so expensive (and only for 3 years anyway - and only for 1 platform). The money could probably be spent in a better way :/

I found that GoDaddy has them for $509/3 yr (a bit cheaper) - https://www.godaddy.com/web-security/code-signing-certificate or even cheaper with Comodo ($212.50/3 yr) - https://comodosslstore.com/codesigning.aspx Are these options or do we really need a $950 one?

It's important that the company that provides the certificates is already trusted by microsoft, otherwise it would be pointless buying the certificate from them.

The difference on globalsign (which is trusted by microsoft) is that with more expensive option you get "Immediate reputation with Microsoft SmartScreen". Which is maybe the original issue in this task? The screen that say software may be virus is SmartScreen, or not?

I personally see this "security popup" as a very shady business of Microsoft and certificate corporations, the protection provided by certificates is relatively small, the work connected to setup of new certificate is minimal and money charged for this simple service are massive. So I don't really support this very much under these conditions.

If the Huggle community really believes that having the executables signed is important and the community or WMF is willing to (repeatedly) pay for certificate for this amount of money, then I can of course incorporate such certificate into windows binaries, but I am absolutely not willing to put my own money to this. I think $900 can be spent for better stuff than certificate which is only needed during installation of Huggle (and just to hide some annoying popup from MS).

212.50/3yr does not necessarily appear to be excessive to me, but that certificate does not offer "extended validation" (EV).

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

"Standard Code Signing: Provides standard level of identity validation, Requires shorter processing times and lower cost, Can be used for all Hardware Dev Center hardware dashboard services except LSA, and UEFI file signing services. In Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), standard code signing cannot be used for kernel-mode drivers. For more info about these changes, see Code Signing FAQ."

We're not building a kernel-mode antivandalism driver here, so I would have thought that this is sufficient. However, it seems that a "standard" certificate does not necessarily prevent the SmartScreen warning. If I understand correctly what various semi-reliable sources like StackOverflow users say, then only a EV certificate would "guarantee" removing the warning. Using a "standard" code signing certificate appears to start a process called "trust building", showing SmartScreen warnings to users until enough people decided to ignore the warning and continue anyway. Only if "enough" people do that, the warning will disappear for all users. I guess that Huggle will never have "enough" users to be able to make use of this process, and that a "standard" certificate might in the worst case not change our situation at all.

$900 is just crazy.

https://en.wikipedia.org/wiki/Extended_Validation_Certificate#Domain-validated_certificates_were_created_by_CAs_in_the_first_place

Okay. What we need instead, then, is a good, easy-to-understand tutorial with screenshots, explaining how to install Huggle anyway.

Edit: I'm creating a simple 2-screenshot explanation right now, using Inkscape to create "screenshots" that can be freely used.

@Petrb Have you looked for government-issued certificates? My country's government does issue free personal ID certificates to identify electronically to government websites, email signing, etc. Code signing certificates are avalaible (for a fee I think, have not checked). I see some European governments do so as well (some do cost, some others do not). Just an idea. Thanks.