-
-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider signing the release #155
Comments
Fair point, let's take a look at the options:
From the above, Certum looks more advantageous. Thoughts? |
That looks ok for me. I can use Microsoft Authenticode (digital certificates) and so signtool.
Certum requires a physical hardware device and I don’t want to be the only one who can release the app. I prefer to be able to sign code with Microsoft Authenticode through signtool and use it on TravisCI. |
Could you elaborate why? I would imagine the opposite to be true. |
It's more about to be able to automate the build process (and so code signing) through TravisCI while making a release. |
💸 |
Thanks a lot for your donation @asvc ❤️ |
As free solution you can sign your binary with your GPG key, provide the key details (ID + fingerprint) with the public key and that's it. As source for the public key you can upload it on your github rep + use keys.openpgp.org so get a mirror and also a second place to verify the key and protect it against manipulation on a single point of failure If you then add checksums, like SHA512, then we also can verify that the file isn't changed in it's integrity or if the download is somehow corrupt |
Subj. As the side-effect, should help with the false positives on VirusTotal.
The text was updated successfully, but these errors were encountered: