[Bf-committers] Vendor Approval Issue

Sun Nov 9 16:31:19 CET 2014

Sounds like a plan to me.

Do we have volunteers to implement this? :)

On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger <martijn.berger at gmail.com>
wrote:

> Hi everyone.
>
> I think this is a great idea.
>
> I would like to propose the following steps.
>
> 1) We put in place the infrastructure
> 2) We use a self signed certificate ( blender foundation CA ) to sign our
> buildbot builds and installers.
> 3) We buy / beg an official certificate to the signing.
>
> This would allow us to delay spending the money till we can actually use
> the certificate. There are no real hurdles to just doing this but lets
> prove it works first.
>
> Martijn
>
>
> On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath <danmcgrath.ca at gmail.com>
> wrote:
>
> > Hey Ton,
> >
> > Well, the cert is just like any other SSL/x.509 certificate you would
> get,
> > except the properties of the certificate allow (limit) it to be used
> > specifically for signing code. You can get certs that can be set to only
> be
> > used for email, signing or encryption etc. The thing that makes this use
> of
> > the certificate unique (compared to regular SSL certificates) is that you
> > use special tools on Windows to sign binary files (as opposed to
> installing
> > in a web server like we do with SSL). Although given the special purpose
> of
> > making your software look reputable and legitimate, they (the industry)
> of
> > course demand a premium for the cost of generating these certificates
> (ie:
> > they charge you up the wazoo!). Like our EV certificates, I believe they
> > also go through extra identity checks before they just hand one of these
> > certificates over to you.
> >
> > Comodo (our certificate provider) offers these certificates as well if
> you
> > are interested (Starting at $166.95/year):
> >
> >
> >
> >
> https://www.comodo.com/business-security/code-signing-certificates/code-signing.php
> >
> > With one of those, you should be able to follow the steps in the
> Microsoft
> > url I pasted earlier to do code signing. I believe you could even
> generate
> > your own self signed CA cert and create one of these code signing
> > certificates to test the tools, but such a certificate would not be
> trusted
> > of course, and would only be useful to practice the workflow.
> >
> >
> > Dan
> >
> >
> > On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal <ton at blender.org> wrote:
> >
> > > Hi,
> > >
> > > I don't mind paying a bit, for as long it's an undisputed, official
> cert
> > > recommended by Microsoft.
> > >
> > > -Ton-
> > >
> > > --------------------------------------------------------
> > > Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> > > Chairman Blender Foundation - Producer Blender Institute
> > > Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
> > >
> > >
> > >
> > > On 6 Nov, 2014, at 15:51, Dan McGrath wrote:
> > >
> > > > It sounds like Microsoft calls this "athenticode". I don't have any
> > > > personal experience with it myself, but I did find this url at
> > > Microsoft's
> > > > website that might be of use to those looking into this:
> > > >
> > > >  http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx
> > > >
> > > > Dan
> > > >
> > > > On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal <ton at blender.org>
> > wrote:
> > > >
> > > >> Hi all,
> > > >>
> > > >> For OS X we sign the binary using our Apple developer account.
> > > >> It seems there's a similar system for Windows exes too.
> > > >> Please advice!
> > > >>
> > > >> (See mail below).
> > > >>
> > > >> -Ton-
> > > >>
> > > >> --------------------------------------------------------
> > > >> Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> > > >> Chairman Blender Foundation - Producer Blender Institute
> > > >> Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
> > > >>
> > > >>
> > > >>
> > > >> Begin forwarded message:
> > > >>
> > > >>> Subject: Vendor Approval Issue
> > > >>> Date: 6 November, 2014 14:17:11 CET
> > > >>> To: foundation at blender.org
> > > >>>
> > > >>> Hi
> > > >>>
> > > >>> I have a  generic issue that needs addressing so I have contacted
> > > >>> this email address in the hope that you can redirect it
> > > >>> appropriately.
> > > >>>
> > > >>> I use Comodo Internet Security Premium which includes a Defense
> > > >>> Plus element for monitoring running processes. Whilst I have
> > > >>> approved Blender as a process it refuses to recognise the Vendor as
> > > >>> the .exe file is not signed and has no developer information so it
> > > >>> will not allow me to add it to the approved list and keeps flagging
> > > >>> it every time I launch Blender.
> > > >>>
> > > >>> I am bringing this to your attention as it is annoying and I am
> > > >>> sure other users are experiencing the same issue and it could be
> > > >>> easily resolved but that can only be done by the development team.
> > > >>>
> > > >>> Trusted Vendors can sign up here to be whitelisted:
> > > >>>
> > > >>> http://internetsecurity.comodo.com/trustedvendor/signup.php
> > > >>>
> > > >>> Many thanks
> > > >>>
> > > >>> Mark
> > > >>>
> > > >>
> > > >> _______________________________________________
> > > >> Bf-committers mailing list
> > > >> Bf-committers at blender.org
> > > >> http://lists.blender.org/mailman/listinfo/bf-committers
> > > >>
> > > > _______________________________________________
> > > > Bf-committers mailing list
> > > > Bf-committers at blender.org
> > > > http://lists.blender.org/mailman/listinfo/bf-committers
> > >
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > http://lists.blender.org/mailman/listinfo/bf-committers
> > >
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

-- 
With best regards, Sergey Sharybin