[Bf-committers] Vendor Approval Issue

Sergey Sharybin sergey.vfx at gmail.com
Sun Nov 9 16:38:54 CET 2014


Hrm, think it should be BF CA cert?

On Sun, Nov 9, 2014 at 8:36 PM, Martijn Berger <martijn.berger at gmail.com>
wrote:

> Hi Sergey-,
>
> You mind making a Blender Institute CA if we don't have one.
> Ill send you a certificate signing request for a code signing certificate.
> So I can make the proof of concept happen.
>
> Martijn
>
>
>
>
> On Sun, Nov 9, 2014 at 4:31 PM, Sergey Sharybin <sergey.vfx at gmail.com>
> wrote:
>
> > Sounds like a plan to me.
> >
> > Do we have volunteers to implement this? :)
> >
> > On Sun, Nov 9, 2014 at 8:29 PM, Martijn Berger <martijn.berger at gmail.com
> >
> > wrote:
> >
> > > Hi everyone.
> > >
> > > I think this is a great idea.
> > >
> > > I would like to propose the following steps.
> > >
> > > 1) We put in place the infrastructure
> > > 2) We use a self signed certificate ( blender foundation CA ) to sign
> our
> > > buildbot builds and installers.
> > > 3) We buy / beg an official certificate to the signing.
> > >
> > > This would allow us to delay spending the money till we can actually
> use
> > > the certificate. There are no real hurdles to just doing this but lets
> > > prove it works first.
> > >
> > > Martijn
> > >
> > >
> > > On Fri, Nov 7, 2014 at 1:39 AM, Dan McGrath <danmcgrath.ca at gmail.com>
> > > wrote:
> > >
> > > > Hey Ton,
> > > >
> > > > Well, the cert is just like any other SSL/x.509 certificate you would
> > > get,
> > > > except the properties of the certificate allow (limit) it to be used
> > > > specifically for signing code. You can get certs that can be set to
> > only
> > > be
> > > > used for email, signing or encryption etc. The thing that makes this
> > use
> > > of
> > > > the certificate unique (compared to regular SSL certificates) is that
> > you
> > > > use special tools on Windows to sign binary files (as opposed to
> > > installing
> > > > in a web server like we do with SSL). Although given the special
> > purpose
> > > of
> > > > making your software look reputable and legitimate, they (the
> industry)
> > > of
> > > > course demand a premium for the cost of generating these certificates
> > > (ie:
> > > > they charge you up the wazoo!). Like our EV certificates, I believe
> > they
> > > > also go through extra identity checks before they just hand one of
> > these
> > > > certificates over to you.
> > > >
> > > > Comodo (our certificate provider) offers these certificates as well
> if
> > > you
> > > > are interested (Starting at $166.95/year):
> > > >
> > > >
> > > >
> > > >
> > >
> >
> https://www.comodo.com/business-security/code-signing-certificates/code-signing.php
> > > >
> > > > With one of those, you should be able to follow the steps in the
> > > Microsoft
> > > > url I pasted earlier to do code signing. I believe you could even
> > > generate
> > > > your own self signed CA cert and create one of these code signing
> > > > certificates to test the tools, but such a certificate would not be
> > > trusted
> > > > of course, and would only be useful to practice the workflow.
> > > >
> > > >
> > > > Dan
> > > >
> > > >
> > > > On Thu, Nov 6, 2014 at 12:37 PM, Ton Roosendaal <ton at blender.org>
> > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I don't mind paying a bit, for as long it's an undisputed, official
> > > cert
> > > > > recommended by Microsoft.
> > > > >
> > > > > -Ton-
> > > > >
> > > > > --------------------------------------------------------
> > > > > Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> > > > > Chairman Blender Foundation - Producer Blender Institute
> > > > > Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
> > > > >
> > > > >
> > > > >
> > > > > On 6 Nov, 2014, at 15:51, Dan McGrath wrote:
> > > > >
> > > > > > It sounds like Microsoft calls this "athenticode". I don't have
> any
> > > > > > personal experience with it myself, but I did find this url at
> > > > > Microsoft's
> > > > > > website that might be of use to those looking into this:
> > > > > >
> > > > > >
> http://msdn.microsoft.com/en-us/library/ie/ms537359(v=vs.85).aspx
> > > > > >
> > > > > > Dan
> > > > > >
> > > > > > On Thu, Nov 6, 2014 at 9:12 AM, Ton Roosendaal <ton at blender.org>
> > > > wrote:
> > > > > >
> > > > > >> Hi all,
> > > > > >>
> > > > > >> For OS X we sign the binary using our Apple developer account.
> > > > > >> It seems there's a similar system for Windows exes too.
> > > > > >> Please advice!
> > > > > >>
> > > > > >> (See mail below).
> > > > > >>
> > > > > >> -Ton-
> > > > > >>
> > > > > >> --------------------------------------------------------
> > > > > >> Ton Roosendaal  -  ton at blender.org   -   www.blender.org
> > > > > >> Chairman Blender Foundation - Producer Blender Institute
> > > > > >> Entrepotdok 57A  -  1018AD Amsterdam  -  The Netherlands
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> Begin forwarded message:
> > > > > >>
> > > > > >>> Subject: Vendor Approval Issue
> > > > > >>> Date: 6 November, 2014 14:17:11 CET
> > > > > >>> To: foundation at blender.org
> > > > > >>>
> > > > > >>> Hi
> > > > > >>>
> > > > > >>> I have a  generic issue that needs addressing so I have
> contacted
> > > > > >>> this email address in the hope that you can redirect it
> > > > > >>> appropriately.
> > > > > >>>
> > > > > >>> I use Comodo Internet Security Premium which includes a Defense
> > > > > >>> Plus element for monitoring running processes. Whilst I have
> > > > > >>> approved Blender as a process it refuses to recognise the
> Vendor
> > as
> > > > > >>> the .exe file is not signed and has no developer information so
> > it
> > > > > >>> will not allow me to add it to the approved list and keeps
> > flagging
> > > > > >>> it every time I launch Blender.
> > > > > >>>
> > > > > >>> I am bringing this to your attention as it is annoying and I am
> > > > > >>> sure other users are experiencing the same issue and it could
> be
> > > > > >>> easily resolved but that can only be done by the development
> > team.
> > > > > >>>
> > > > > >>> Trusted Vendors can sign up here to be whitelisted:
> > > > > >>>
> > > > > >>> http://internetsecurity.comodo.com/trustedvendor/signup.php
> > > > > >>>
> > > > > >>> Many thanks
> > > > > >>>
> > > > > >>> Mark
> > > > > >>>
> > > > > >>
> > > > > >> _______________________________________________
> > > > > >> Bf-committers mailing list
> > > > > >> Bf-committers at blender.org
> > > > > >> http://lists.blender.org/mailman/listinfo/bf-committers
> > > > > >>
> > > > > > _______________________________________________
> > > > > > Bf-committers mailing list
> > > > > > Bf-committers at blender.org
> > > > > > http://lists.blender.org/mailman/listinfo/bf-committers
> > > > >
> > > > > _______________________________________________
> > > > > Bf-committers mailing list
> > > > > Bf-committers at blender.org
> > > > > http://lists.blender.org/mailman/listinfo/bf-committers
> > > > >
> > > > _______________________________________________
> > > > Bf-committers mailing list
> > > > Bf-committers at blender.org
> > > > http://lists.blender.org/mailman/listinfo/bf-committers
> > > >
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > http://lists.blender.org/mailman/listinfo/bf-committers
> > >
> >
> >
> >
> > --
> > With best regards, Sergey Sharybin
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>



-- 
With best regards, Sergey Sharybin


More information about the Bf-committers mailing list