package and code signing

Bug #1517823 reported by Sébastien BLAISOT
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mixxx
Critical
RJ Skerry-Ryan

Bug Description

It would be nice to get a code signing certificate from certification authority and sign code and packages on the build server.

This way, our users will be able to verify integrity of sownloaded packages.

Integrity check is automatically done with installers most of time (at least under apt, yum and windows, I don't know for MacOS)

This will also avoid "Unknown publisher" warnings under windows

RJ Skerry-Ryan (rryan)
Changed in mixxx:
status: New → Confirmed
importance: Undecided → Wishlist
assignee: nobody → RJ Ryan (rryan)
milestone: none → 2.1.0
Revision history for this message
Sébastien BLAISOT (sblaisot) wrote :

Certum certs seems to be the cheapest for open source projects. €14

https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

Revision history for this message
Be (be.ing) wrote :

If it's that cheap I think we should do it.

Revision history for this message
Sébastien BLAISOT (sblaisot) wrote :

for this amount, you only get a personal certificate :
Open Source Code Signing Certificates are issued only to natural persons

organisation code signing certificate cost $200+ a year

who as a user want to trust a package signed by "Mr xxx yyy" instead of "The Mixxx development team" ?
who as a developer wants to give the privkey of its personal code signing cert to the Mixxx build chain ?

Revision history for this message
Be (be.ing) wrote :

Oh, I did not see that detail. That is a different situation then.

Revision history for this message
Be (be.ing) wrote :

I think this would be a good reason to join Conservancy. They may already have a certificate that is shared among projects. If they don't, I think that would be a good idea. Then we could share the cost with other projects.

Be (be.ing)
Changed in mixxx:
importance: Wishlist → Low
Revision history for this message
Be (be.ing) wrote :

I asked Karen at Conservancy if any Conservancy member projects have a Windows signing key. She said another project is in the process of setting that up currently, so we may be able to share that.

Changed in mixxx:
importance: Low → Medium
Revision history for this message
Be (be.ing) wrote :

I just tried installing 2.1 beta on my friend's computer running macOS and the OS would not let him install it without changing a configuration setting to allow running unsigned binaries.

Changed in mixxx:
importance: Medium → Critical
assignee: RJ Ryan (rryan) → Be (be.ing)
Revision history for this message
Daniel Schürmann (daschuer) wrote :

If you try to install Mixxx on Win10 you get a warning from "Defender SmartScreen" you can only continue by going to a not very details dialog.
Here are some details: https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-935.html

https://www.certum.eu/certum/cert,offer_code_signing.xml
Is now for 28 €

@Sea: Would acquire a Personal Cert and install it on your Jenkins server?

Revision history for this message
Be (be.ing) wrote :

I do not think we should get a personal certificate for the reasons Sébastien mentioned above. Furthermore, the cheap certificate for open source developers would not get rid of the scary warning on Windows until Microsoft determines that the certificate has a good enough reputation. How long that takes and how Microsoft determines that is unclear. An Extended Validation certificate is required to be sure the warning does not appear: https://www.digicert.com/blog/ms-smartscreen-application-reputation/

So I think we should join Software Freedom Conservancy and get an Extended Validation certificate. I think we would be able to cover the cost easily by asking our users for donations. Conservancy may already have a certificate that we can share and we may not need to purchase a new one, but we should check with the certificate authority that is permissible under their rules.

Revision history for this message
RJ Skerry-Ryan (rryan) wrote :

> Conservancy may already have a certificate that we can share and we may not need to purchase a new one, but we should check with the certificate authority that is permissible under their rules.

Sharing a private key isn't a great idea from a build security perspective. I'd prefer our build signing keys be highly restricted to those who truly need access (i.e. to install them on a builder VM).

Be (be.ing)
Changed in mixxx:
milestone: 2.1.0 → 2.2.0
Changed in mixxx:
milestone: 2.2.0 → 2.1.1
Revision history for this message
jus (jus) wrote :

Crossposting from lp:1765328, which has been marked as dupe

The 2.1 release can´t be opened at least on macOS 10.11+ ( 10.13.x is current) with default system security settings.

The Mixxx application has no Apple Developer ID, it expired, was not renewed, and was removed lately. Can not find it atm in the git log.

Error message on 1st launch
``
“Mixxx” can’t be opened because it is from an unidentified developer
Your security preferences allow installation of only apps from the App Store and identified developers.
``

To start Mixxx, a user has to go trough some hassle:
* System Preferences -> Security&Privacy

  ``Mixxx`` was blocked from opening because it is not from an identified developer --> Open anyway

or (not recommended)
* open a terminal
  sudo spctl --master-disable

  System Preferences -> Security&Privacy -> Allow apps downloaded from anywhere

Changed in mixxx:
milestone: 2.1.1 → 2.1.2
Changed in mixxx:
milestone: 2.1.2 → 2.1.3
Changed in mixxx:
milestone: 2.1.3 → none
Revision history for this message
RJ Skerry-Ryan (rryan) wrote :

The macOS build VM has a valid Developer ID cert again, and I re-enabled code signing on master, 2.1, and 2.2 build jobs.

Revision history for this message
Be (be.ing) wrote :

Great, thanks. This is still an issue for Windows though, correct?

Changed in mixxx:
assignee: Be (be.ing) → nobody
Revision history for this message
RJ Skerry-Ryan (rryan) wrote :

I have a code signing certificate (in my name) now, and am working on SCons support for running signtool (the Windows tool for code signing).

Changed in mixxx:
assignee: nobody → RJ Skerry-Ryan (rryan)
RJ Skerry-Ryan (rryan)
Changed in mixxx:
milestone: none → 2.2.0
Be (be.ing)
Changed in mixxx:
status: Confirmed → In Progress
Revision history for this message
RJ Skerry-Ryan (rryan) wrote :

https://github.com/mixxxdj/mixxx/pull/1859 is merged

All Windows VMs have a certificate on them now. I think the final step for Windows is to sign the wix MSI, which I didn't do in PR #1859.

Be (be.ing)
Changed in mixxx:
milestone: 2.2.0 → 2.1.5
status: In Progress → Fix Committed
RJ Skerry-Ryan (rryan)
Changed in mixxx:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers