Menu
▾
▴
#1509 Digitally signed binaries
Hello,
my organization makes use of both the SciTE.exe and the scintilla.dll, lexilla.dll libraries.
However, the application security audits require 3rd party binaries to be digitally signed.
Is there a way to obtain these binaries with a trusted digital signature?
Kind regards,
Atanas
It costs money to purchase Windows code-signing digital certificates and the process of signing executables is complex and time consuming. Microsoft, unlike Apple, don't make this easy for open source projects.
Understandable. Thank you for the quick response!
With Certum, open source certificates are now 69 euro per year. The dongle was 105 euro including shipping (a few years ago).
https://shop.certum.eu/open-source-code-signing.html
If I read that correctly, I would have to physically visit an identity verification point, These are concentrated in Europe and there are none in Australia where I live.
See https://www.support.certum.eu/en/required-documents/: they have two options actually. The first is what you're talking about but the second doesn't require you to make a physical visit. I just went through the process and it's quick and painless as long as you use a reliable email adress which has no chance of rejecting any of their messages.
Additionally I would recommend cloud signing. It's cheaper and also much more convenient if you ask me. See https://shop.certum.eu/open-source-code-signing-on-simplysign.html It does require you to install their 2FA app on a phone.
I've been using Certum for many years now to sign Inno Setup and I understand how annoying this whole concept is but to me it's now better than it was in a very long time and am also glad Cetrum supports open source in this way.
Let me know if you have questions.