[AnthonyMouse]

> We also dont have a code signing certificate yet either, they are expensive for windows.

When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.

[DougN7]

Besides paying money you also go through a (pretty simplistic) audit. It’s about the only way we have to know who published some code, which is important. If you can come up with a better way you should implement it and we’ll all follow.

As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.

[hunter2_]

Can you have someone else go through the process of getting it, like a Craigslist rando to whom you pay cash?

[wongarsu]

If said Craigslist rando likes getting police visits and potentially being criminally liable for helping you commit a felony ...

All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.

In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo

[newzisforsukas]

> In practice the threat of the justice system makes any signed executable unlikely to be malicious.

What threats are those? Where are all the people going to jail for falsely signed software? The stuxnet authors seem to be in the wind.

[wongarsu]

The threat is that if you sign malware with your name you will be quickly connected with said malware. If you don't live in a country that turns a blind eye to cyber crime that is a quick ticket to jail.

Of course people stealing other people's signing keys is an issue. But EV code signing certificates are pretty well protected (requiring either a hardware dongle or 2FA). It's not impossible for a highly sophisticated attacker, but it's a pretty high bar.

[hluska]

There’s an audit to go through where you (sort of) prove who you are. The system isn’t great, but if you can come up with something better there’s a lot of space to make software more secure for people.

[firesteelrain]

There's a reason it costs money and it's because the CAs have to undergo costly audits. Microsoft publishes a list of trusted CAs:

https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...

[a1o]

This looks like a random website and not a Microsoft website. How could I trust such list?

[firesteelrain]

Because it came from this site: https://learn.microsoft.com/en-us/security/trusted-root/part...

I used Google to search for "list of microsoft trusted CA".

[firesteelrain]

Looks like people have no experience with CA audits or security controls