Code signing

uckelman · July 21, 2020, 12:26pm

It’s been mentioned a few times recently that Windows and Mac users are shown various warning dialogs because we’re not signing our installer. Code signing has always struck me as providing little assurance to the user on one side, and as sort of a racket for companies selling code signing certificates. Nonetheless, we might be near a point where it would save us enough hassle to do it.

Here are some questions, interspersed with what I’ve gleaned from a small amount of looking:

On Windows, we can sign executables with a code signing certificate. The executables we have are the installer, the launcher (VASSAL.exe), java.exe, and javaw.exe.

1.1) What changes for the user if we sign the installer?

This page (mkaz.blog/code/code-signing-a-w … pplication) suggests that signing the installer would result in a slightly less alarming looking dialog when the user run the installer.

Would anything else change?

1.2) What changes for the user if we sign the launcher?

1.3) Are java.exe and javaw.exe already signed? If not, should they be? By AdoptOpenJDK? By us?

1.4) Would signing have any effect on interference by antivirus software?

1.5) What provider would we use for our code signing certificate? Let’s Encrypt, which was the first thing I checked due to their doing SSL certificates for free, doesn’t do code signing certificates. Are there any providers which are free for open-source projects? If not, what’s our cheapest option?

1.6) It looks like we can do the signing on Linux:

stackoverflow.com/questions/182 … ed-distros
stackoverflow.com/questions/252 … s-exe-file

On Macs, you can sign app bundles, and apparently also shared libraries (stackoverflow.com/questions/534 … pplication). What I’ve read says that you do it with a certificate from Apple that one gets via having one of their $99/yr developer accounts. (Is Apple really the only provider of certificates?)

2.1) What changes for the user if we sign the app bundle?

2.2) Are the AdoptOpenJDK dylibs already signed? If not, should they be? By AdoptOpenJDK? By us?

2.3) Can we sign the app bundle on Linux?

Do the benefits of all of this justify the effort?

stew-rt · July 21, 2020, 12:37pm

From a user’s perspective, especially if they aren’t super computer-literate these warnings do look like we are trying to install a virus or steal their children or something…

How about distribute via a closed “store” like steam? this is available for Windows and Mac - and probably doesn’t rely on code signing? Yes it’s proprietary, but in these instances, so are the OS’s.

On the subject of funding, how does Vassal obtain funding for web hosting etc? Other than the “donate” paypal link at the bottom of the main page, I didn’t even notice until I looked for it to be honest. Perhaps there could be other ways to get donations, such as a libre-pay sort of subs thing? … or even making the donate button a bit more prevalent (obviously, without shoving it in users faces like some do).

Speaking of which, I’ve just made a small donation…

stew-rt · July 21, 2020, 12:39pm

… Or bug bounties? There’s probably plenty out there with their pet-peev bugs…

uckelman · July 21, 2020, 1:05pm

Thus spake stew-rt:

On the subject of funding, how does Vassal obtain funding for web
hosting etc? Other than the “donate” paypal link at the bottom of the
main page,

That’s how. We take in enough to pay for hosting. We wouldn’t have a
problem also paying for code signing certs. I’m not worried about the
cost, though I’d prefer not to pay more than we need to for them.

I didn’t even notice until I looked for it to be honest.
Perhaps there could be other ways to get donations, such as a libre-pay
sort of subs thing? … or even making the donate button a bit more
prevalent (obviously, without shoving it in users faces like some do).

I’d push a bit harder for donations if they weren’t keeping up with
costs, but presently they are.

Speaking of which, I’ve just made a small donation…

Thanks.

–
J.

Flint1b · July 21, 2020, 1:13pm

Yes.

Don’t have anything productive to add to this discussion as I’ve said goodbye to all these problems long ago by switching to linux and nowadays I’m laughing at the inconveniences that windows/mac users have.

I don’t think we can sign the java binaries, they should be signed by whoever produces them. And AVs will probably always be nervous when an application brings it’s own java executable, minecraft doesn’t list the AVs at the top of their “incompatible software” list for fun.

uckelman · July 21, 2020, 1:28pm

Thus spake Flint1b:

Don’t have anything productive to add to this discussion as I’ve said
goodbye to all these problems long ago by switching to linux and
nowadays I’m laughing at the inconveniences that windows/mac users have.

This would by my attitude as well were I not in the position of supporting
software for use on Windows and Macs.

I don’t think we can sign the java binaries, they should be signed by
whoever produces them. And AVs will probably always be nervous when an
application brings it’s own java executable, minecraft doesn’t list the
AVs at the top of their “incompatible software” list for fun.

My guess is that we shouldn’t sign the Java executables ourselves, but
that’s only a guess. At present, I don’t know if they’re already signed,
and I’m not sure how to check.

–
J.

uckelman · July 21, 2020, 1:52pm

This, from the AdoptOpenJDK blog, seems to suggest that the bundler should oversign some of the bundled AdoptOpenJDK pieces: blog.adoptopenjdk.net/2020/05/a … plication/