[Someone1234]

7-Zip needs to start a Go Fund Me or similar for a Code Signing certificate. They're like $69-89/year, which is expensive, but for such a popular piece of software it would be a nice safety net in case of site compromise.

Too bad none of the big CAs have an Open Source/Charity program that would provide a Authenticode Certificate for use with that software.

[yash1th]

> Go Fund Me

I second it. The thing with donations is many people assume that someone is gonna donate (including me) and click "not now or later", where as in gofundme we would see how much they raised out of total goal and many people will then put the money.

[fuzzy2]

IIRC 7-Zip has explicitly decided not go get signed. It doesn’t help all that much anyway, SmartScreen still catches your application and nags the user.

Unfortunately, I cannot seem to find any reference, so I might remember it wrong or it wasn’t about 7-Zip or whatever. The thing with SmartScreen is (unfortunately) still true.

[wyday]

EV Code signing certs get you immediate trust with Smart Screen. Recently discussed over on the bootstrapped forum: http://discuss.bootstrapped.fm/t/code-signing-certificate-re...

Regular, non-EV code-signing certs, aren't as useful as they were when Vista / Windows 7 were the main Windows OSes.

[Boulth]

I wonder what do you mean by "not useful"? They just have to participate in the reputation system, but that's an issue only when the certificate is young.

Here's an excerpt from MSDN:

> Detractors may claim that SmartScreen is “forcing” developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.

Source: https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-sma...

[wyday]

I didn’t say “not useful”. Clearly they’re useful. I said non-EV certs “aren’t as useful”. Which is just a fact (as evidenced by the Smart Screen “reputation boost” that EV certs get).

I already read that blog post. I’m person that linked to it in the forum post.

[fuzzy2]

Interesting, I wasn’t aware of that.

However, isn’t getting an EV certificate impossible for a natural person? You’d have to be some sort of legally recognized organization. Not exactly suitable for small-scale Open Source development.

[gruez]

>However, isn’t getting an EV certificate impossible for a natural person? You’d have to be some sort of legally recognized organization

no? random example:

https://sourceforge.net/projects/keepass/files/KeePass%202.x...

signer is: "Open Source Developer, Dominik Reichl"

edit: another example

https://yarnpkg.com/latest.msi

signer is: "Daniel Lo Nigro"

[fuzzy2]

KeePass: This isn’t an EV certificate (has only OID 2.23.140.1.4). Certum also clearly states, topmost on the description of how to get an EV Code Signing certificate:

> We do not issue EV Code Signing certificates to natural persons!

Yarn: Not an EV certificate either: "Organizationally validated certificates used to sign standard objects." (2.16.840.1.114412.3.1 in addition to 2.23.140.1.4.1).

[Someone1234]

> It doesn’t help all that much anyway, SmartScreen still catches your application and nags the user.

Windows 10, in the default configuration, won't let you install unsigned applications at all. It might "nag" early downloaders when a certificate is present but you can override that (and the nagging stops eventually due to popularity).

But more importantly, if the site were ever compromised, it makes it easier to spot if a compromised binary is posted. Since hopefully the bad guy wouldn't have the code signing certificate. Right now the official binary looks like a compromised version.

[eterm]

When I was just installing it now (this post reminded me that I hadn't updated it recently) I was put off by the lack of publisher in the installer and went back to double-check it was the official version. It's really off-putting seeing "publisher: unknown" when installing and my immediate reaction was, "wait, did I install it from the legit site?".

[gruez]

it's even cheaper if it's for an open source project: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xm...

28 eur.

[laurent123456]

That's surprising. I'd expect they receive more than $70 a year in donation already, so it should not be such a big issue.

[chipperyman573]

AFAIK 7-zip doesn't take donations (feel free to correct me), but you could argue that the donations were going towards the author of the software to thank them for their work and not towards funding the development, so the author has no reason to feel compelled to buy a cert if they don't want to. Of course, that would all depend on the wording of the donation page, which I don't believe exists.

[louhike]

I've never found (recently) how to donate to 7-zip, it seems the author removed the option to do so on the website. Maybe I'm too stupid, so please correct me if I'm wrong and you find a link.

[sametmax]

That could be a nice use case for a blockchain.

[dane-pgp]

I can picture this working, actually. Someone could put some smart contracts into the Ethereum blockchain, for example, one per piece of software, with the instruction that if the contract receives more than a certain threshold in total donations, a transaction is sent to a CA asking them to issue a code signing cert to the developer of the relevant piece of software (hardcoded into the smart contract).

The CA would have to be in on this, by having an Ethereum address to receive the crowd-funded amount at, and they would have to make contact with the developer and verify them using their normal methods, but there would be a strong financial incentive for them persuade the developer to accept their certificate. Perhaps if the developer declines, then the funds controlled by the smart contract can expire and be sent back to the unsuccessful crowd-funders.