[gruez]

So, EV code signing certificates? Windows has that, and it'll verify that right in the OS. Git for instance, shows as being signed by

CN = Johannes Schindelin O = Johannes Schindelin S = Nordrhein-Westfalen C = DE

Downside is the cost. Certificates cost hundreds of dollars per year. There's probably some room to reduce cost, but not by much. You also run into issues of paying some homeless person $50 to use their identity for cyber crimes.

[mc32]

How would the homeless chap have the creds or gravitas for people to trust him or her?

[veeti]

I don't really know who Johannes Schindelin is either but use git quite happily.

[brabel]

You don’t need certificates , just use PGP keys like Maven.

[gruez]

PGP keys don't tell you anything about a developers "real identity". Theoretically theres some "web of trust", but realistically everyone just blindly downloads whatever PGP key is listed on the repo's install instructions.

[brabel]

Bullshit. The public key can be obtained by several easy means, like visiting the publisher website or social network site like GitHub which is common. That verifies the identity just as well as any certificate! But with much less trouble.

[gruez]

How are you still missing the "real identity" part? A bitcoin address might be easily verifiable, but isn't anyone's idea of "real identity".

[brabel]

Real identity is impossible to establish beyond any doubt, and a certificate is no better than a key on a website, in fact it's essentially the exact same thing.