package and code signing

Certum certs seems to be the cheapest for open source projects. €14

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

If it's that cheap I think we should do it.

for this amount, you only get a personal certificate :
Open Source Code Signing Certificates are issued only to natural persons

organisation code signing certificate cost $200+ a year

who as a user want to trust a package signed by "Mr xxx yyy" instead of "The Mixxx development team" ?
who as a developer wants to give the privkey of its personal code signing cert to the Mixxx build chain ?

Oh, I did not see that detail. That is a different situation then.

I think this would be a good reason to join Conservancy. They may already have a certificate that is shared among projects. If they don't, I think that would be a good idea. Then we could share the cost with other projects.

I asked Karen at Conservancy if any Conservancy member projects have a Windows signing key. She said another project is in the process of setting that up currently, so we may be able to share that.

I just tried installing 2.1 beta on my friend's computer running macOS and the OS would not let him install it without changing a configuration setting to allow running unsigned binaries.

If you try to install Mixxx on Win10 you get a warning from "Defender SmartScreen" you can only continue by going to a not very details dialog.
Here are some details: https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-935.html

https://www.certum.eu/certum/cert,offer_code_signing.xml
Is now for 28 €

@Sea: Would acquire a Personal Cert and install it on your Jenkins server?

I do not think we should get a personal certificate for the reasons Sébastien mentioned above. Furthermore, the cheap certificate for open source developers would not get rid of the scary warning on Windows until Microsoft determines that the certificate has a good enough reputation. How long that takes and how Microsoft determines that is unclear. An Extended Validation certificate is required to be sure the warning does not appear: https://www.digicert.com/blog/ms-smartscreen-application-reputation/

So I think we should join Software Freedom Conservancy and get an Extended Validation certificate. I think we would be able to cover the cost easily by asking our users for donations. Conservancy may already have a certificate that we can share and we may not need to purchase a new one, but we should check with the certificate authority that is permissible under their rules.

> Conservancy may already have a certificate that we can share and we may not need to purchase a new one, but we should check with the certificate authority that is permissible under their rules.

Sharing a private key isn't a great idea from a build security perspective. I'd prefer our build signing keys be highly restricted to those who truly need access (i.e. to install them on a builder VM).

Crossposting from lp:1765328, which has been marked as dupe

The 2.1 release can´t be opened at least on macOS 10.11+ ( 10.13.x is current) with default system security settings.

The Mixxx application has no Apple Developer ID, it expired, was not renewed, and was removed lately. Can not find it atm in the git log.

Error message on 1st launch
``
“Mixxx” can’t be opened because it is from an unidentified developer
Your security preferences allow installation of only apps from the App Store and identified developers.
``

To start Mixxx, a user has to go trough some hassle:
* System Preferences -> Security&Privacy

  ``Mixxx`` was blocked from opening because it is not from an identified developer --> Open anyway

or (not recommended)
* open a terminal
  sudo spctl --master-disable

  System Preferences -> Security&Privacy -> Allow apps downloaded from anywhere

The macOS build VM has a valid Developer ID cert again, and I re-enabled code signing on master, 2.1, and 2.2 build jobs.

Great, thanks. This is still an issue for Windows though, correct?

I have a code signing certificate (in my name) now, and am working on SCons support for running signtool (the Windows tool for code signing).

https://github.com/mixxxdj/mixxx/pull/1859 is merged

All Windows VMs have a certificate on them now. I think the final step for Windows is to sign the wix MSI, which I didn't do in PR #1859.

Mixxx now uses GitHub for bug tracking. This bug has been migrated to:
https://github.com/mixxxdj/mixxx/issues/8309