[Bf-committers] Vendor Approval Issue

Martijn Berger martijn.berger at gmail.com
Sun Nov 9 16:36:43 CET 2014 

Hi Sergey-,

You mind making a Blender Institute CA if we don't have one.
Ill send you a certificate signing request for a code signing certificate.
So I can make the proof of concept happen.

Martijn




On Sun, Nov 9, 2014 at 4:31 PM, Sergey Sharybin <sergey.vfx at gmail.com>
wrote:

> Sounds like a plan to me.
>
> Do we have volunteers to implement this? :)
>
> On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger <martijn.berger at gmail.com>
> wrote:
>
> > Hi everyone.
> >
> > I think this is a great idea.
> >
> > I would like to propose the following steps.
> >
> > 1) We put in place the infrastructure
> > 2) We use a self signed certificate ( blender foundation CA ) to sign our
> > buildbot builds and installers.
> > 3) We buy / beg an official certificate to the signing.
> >
> > This would allow us to delay spending the money till we can actually use
> > the certificate. There are no real hurdles to just doing this but lets
> > prove it works first.
> >
> > Martijn
> >
> >
> > On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath <danmcgrath.ca at gmail.com>
> > wrote:
> >
> > > Hey Ton,
> > >
> > > Well, the cert is just like any other SSL/x.509 certificate you would
> > get,
> > > except the properties of the certificate allow (limit) it to be used
> > > specifically for signing code. You can get certs that can be set to
> only
> > be
> > > used for email, signing or encryption etc. The thing that makes this
> use
> > of
> > > the certificate unique (compared to regular SSL certificates) is that
> you
> > > use special tools on Windows to sign binary files (as opposed to
> > installing
> > > in a web server like we do with SSL). Although given the special
> purpose
> > of
> > > making your software look reputable and legitimate, they (the industry)
> > of
> > > course demand a premium for the cost of generating these certificates
> > (ie:
> > > they charge you up the wazoo!). Like our EV certificates, I believe
> they
> > > also go through extra identity checks before they just hand one of
> these
> > > certificates over to you.
> > >
> > > Comodo (our certificate provider) offers these certificates as well if
> > you
> > > are interested (Starting at $166.95/year):
> > >
> > >
> > >
> > >
> >
> https://www.comodo.com/business-security/code-signing-certificates/code-signing.php
> > >
> > > With one of those, you should be able to follow the steps in the
> > Microsoft
> > > url I pasted earlier to do code signing. I believe you could even
> > generate
> > > your own self signed CA cert and create one of these code signing
> > > certificates to test the tools, but such a certificate would not be
> > trusted
> > > of course, and would only be useful to practice the workflow.
> > >
> > >
> > > Dan
> > >
> > >
> > > On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal <ton at blender.org>
> wrote:
> > >
> > > > Hi,
> > > >
> > > > I don't mind paying a bit, for as long it's an undisputed, official
> > cert
> > > > recommended by Microsoft.
> > > >
> > > > -Ton-
> > > >
> > > > --------------------------------------------------------
> > > > Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> > > > Chairman Blender Foundation - Producer Blender Institute
> > > > Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
> > > >
> > > >
> > > >
> > > > On 6 Nov, 2014, at 15:51, Dan McGrath wrote:
> > > >
> > > > > It sounds like Microsoft calls this "athenticode". I don't have any
> > > > > personal experience with it myself, but I did find this url at
> > > > Microsoft's
> > > > > website that might be of use to those looking into this:
> > > > >
> > > > >  http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx
> > > > >
> > > > > Dan
> > > > >
> > > > > On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal <ton at blender.org>
> > > wrote:
> > > > >
> > > > >> Hi all,
> > > > >>
> > > > >> For OS X we sign the binary using our Apple developer account.
> > > > >> It seems there's a similar system for Windows exes too.
> > > > >> Please advice!
> > > > >>
> > > > >> (See mail below).
> > > > >>
> > > > >> -Ton-
> > > > >>
> > > > >> --------------------------------------------------------
> > > > >> Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> > > > >> Chairman Blender Foundation - Producer Blender Institute
> > > > >> Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
> > > > >>
> > > > >>
> > > > >>
> > > > >> Begin forwarded message:
> > > > >>
> > > > >>> Subject: Vendor Approval Issue
> > > > >>> Date: 6 November, 2014 14:17:11 CET
> > > > >>> To: foundation at blender.org
> > > > >>>
> > > > >>> Hi
> > > > >>>
> > > > >>> I have a  generic issue that needs addressing so I have contacted
> > > > >>> this email address in the hope that you can redirect it
> > > > >>> appropriately.
> > > > >>>
> > > > >>> I use Comodo Internet Security Premium which includes a Defense
> > > > >>> Plus element for monitoring running processes. Whilst I have
> > > > >>> approved Blender as a process it refuses to recognise the Vendor
> as
> > > > >>> the .exe file is not signed and has no developer information so
> it
> > > > >>> will not allow me to add it to the approved list and keeps
> flagging
> > > > >>> it every time I launch Blender.
> > > > >>>
> > > > >>> I am bringing this to your attention as it is annoying and I am
> > > > >>> sure other users are experiencing the same issue and it could be
> > > > >>> easily resolved but that can only be done by the development
> team.
> > > > >>>
> > > > >>> Trusted Vendors can sign up here to be whitelisted:
> > > > >>>
> > > > >>> http://internetsecurity.comodo.com/trustedvendor/signup.php
> > > > >>>
> > > > >>> Many thanks
> > > > >>>
> > > > >>> Mark
> > > > >>>
> > > > >>
> > > > >> _______________________________________________
> > > > >> Bf-committers mailing list
> > > > >> Bf-committers at blender.org
> > > > >> http://lists.blender.org/mailman/listinfo/bf-committers
> > > > >>
> > > > > _______________________________________________
> > > > > Bf-committers mailing list
> > > > > Bf-committers at blender.org
> > > > > http://lists.blender.org/mailman/listinfo/bf-committers
> > > >
> > > > _______________________________________________
> > > > Bf-committers mailing list
> > > > Bf-committers at blender.org
> > > > http://lists.blender.org/mailman/listinfo/bf-committers
> > > >
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > http://lists.blender.org/mailman/listinfo/bf-committers
> > >
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
>
>
>
> --
> With best regards, Sergey Sharybin
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list