Signing the distribution on Windows & Mac

Is there any interest in signing the distributions for Windows and Mac?
It certainly seems to me that the current absence of signatures must be
a significant obstacle to the adoption of GStreamer on these two
platforms which between them account for the vast majority of all
desktop computers.

At present on Windows 10 32-bit I download gstreamer-1.0-x86-1.8.1.msi
and when I try to run it I get
    "The publisher could not be verified.
    Are you sure you want to run this software?".

On Mac OS 10.10 with default security settings I get
    "gstreamer-1.0-1.8.1-x86_64.pkg" can't be opened because
    it is from an unidentified developer.
    Your security preferences allow installation of only
    apps from the Mac App Store and identified developers.
The Mac doesn't allow the option of installing at all.

This will prevent many Windows users and practically all Mac users from
installing it. I might be exaggerating slightly, but I would say that
these days it is hardly worth producing Windows and Mac distributions at
all if they are not signed.

Once the signing certificates are obtained then it's just one more step
in the build script. I'm happy to help if I can though it seems to me
the certificates should be owned and applied by the GStreamer
organization, or by the person who builds the distribution packages. In
particular I would be happy to pay the costs, which AFAIK would be
something like $99 per year to be a member of the Apple Developer
program and I currently pay around $400 per year for an authenticode
certificate from Symantec, for Windows signing.

Obviously there is some self interest here on my part : the next release
of my company's main product will not *require* GStreamer but I will be
encouraging users to install it to add certain features (e.g. video, and
more audio file formats).

Regards,
Andy Robinson, Seventh String Software, www.seventhstring.com
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

On Do, 2016-05-19 at 12:33 +0100, Andy Robinson wrote: The main problem here seems to be that the keys for the signature need
to be available to whoever is building the binaries. Is it easily
possible to share these keys?

Can you file a bug about this at
  https://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer

--
Sebastian Dröge, Centricular Ltd · http://www.centricular.com

_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

but obviously that defeats the point of using keys in the first place :-)
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

On Fr, 2016-05-20 at 11:41 +0300, Kyrylo Polezhaiev wrote:
> but obviously that defeats the point of using keys in the first place
> :-)

We could share them privately among the project members I guess.

--
Sebastian Dröge, Centricular Ltd · http://www.centricular.com


_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> Le 20 mai 2016 à 10:43, Sebastian Dröge <[hidden email]> a écrit :
>
> On Fr, 2016-05-20 at 11:41 +0300, Kyrylo Polezhaiev wrote:
>> but obviously that defeats the point of using keys in the first place
>> :-)
>
> We could share them privately among the project members I guess.

My 2 cents: the Mac developer program has a concept of « team » for sharing certificates, but each team member must be registered, so the cost bumps up to 99$ per developer per year. For Windows certificates, last time I had the dubious honor of having to get one, the process was a bit of a pain in the ass; you must use a specific version of IE, install various components, and use the exact same computer to renew it later; I’m not even sure there’s a way to « export » it to sign executables on a different machine, but I didn’t look long…

Best regards
Jérôme


_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

> Le 20 mai 2016 à 10:43, Sebastian Dröge <[hidden email]> a écrit :
>
> On Fr, 2016-05-20 at 11:41 +0300, Kyrylo Polezhaiev wrote:
>> but obviously that defeats the point of using keys in the first place
>> :-)
>
> We could share them privately among the project members I guess.

My 2 cents: the Mac developer program has a concept of « team » for sharing certificates, but each team member must be registered, so the cost bumps up to 99$ per developer per year. For Windows certificates, last time I had the dubious honor of having to get one, the process was a bit of a pain in the ass; you must use a specific version of IE, install various components, and use the exact same computer to renew it later; I’m not even sure there’s a way to « export » it to sign executables on a different machine, but I didn’t look long…

Best regards
Jérôme


_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

On 20/05/16 10:59, Kyrylo Polezhaiev wrote:
> GStreamer is open source project, so any superstitious man can download
> sources and build binaries himself.

If we want ordinary non-technical people to be able to install GStreamer
then this isn't a practical option.

Regards,
Andy Robinson, Seventh String Software, www.seventhstring.com
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

On 20/05/16 10:44, Jérôme Laheurte wrote: each team member must be registered, so the cost bumps up to 99$ per
developer per year. For
Windows certificates, last time I had the dubious honor of having to get
one, the process was
a bit of a pain in the ass; you must use a specific version of IE,
install various components,
and use the exact same computer to renew it later; I’m not even sure
there’s a way to « export »
it to sign executables on a different machine, but I didn’t look long…
>
> Best regards
> Jérôme

You're right about Mac teams - I would guess that there isn't an
enormous number of GStreamer developers who would need to be able to
sign a Mac distribution (2 or 3?) so the cost would not be prohibitive.

As for Windows, yes you need to go through the procedure of ordering and
collecting the certificate using the same browser and machine throughout
- and I found it has to be IE not Edge. But once you have the
certificate you can move the pfx file to a different machine and use it
there. Of course, as soon as you send the pfx in an unencrypted email
then it could potentially be leaked. There are also identity checks
before the certificate is issued, depending on the certificate
provider's procedures.

It is all a bit tedious and tricksy to get it set up. If the GStreamer
people who prepare the Windows & Mac distributions want to do this then
as I've said I would be happy to pay the cost, and this would be the
right way to do it, with certificates issued to the GStreamer
organisation. But I don't know if you have the time and the desire to
make this happen.

If not then I guess my backup solution would be to sign the relevant
installers myself and distribute them directly to my users.

Regards,
Andy Robinson, Seventh String Software, www.seventhstring.com
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel

On 20/05/16 09:39, Sebastian Dröge wrote:
> Can you file a bug about this at
>    https://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer

https://bugzilla.gnome.org/show_bug.cgi?id=766715

Regards,
Andy Robinson, Seventh String Software, www.seventhstring.com
_______________________________________________
gstreamer-devel mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/gstreamer-devel