My code signing cert expires soon, planning to drop code signatures on NuGet package

Question

My code signing cert expires soon, planning to drop code signatures on NuGet package

natemcmaster opened this issue 4 years ago · comments

Hey all,

I used to get code-signing certs for free (perk of being a Microsoft employee.) I've lost that perk, so no more freebies. My current code-signing certificate expires in a few months. Once it does, I'm not planning to renew as renewal is not cheap.

If this is a concern for you, we have until July 2020 to change course. As far as I can tell, though, no one really cares about code-signed NuGet packages (except the NuGet team and Microsoft.)

Alternatives to dropping code signing:

help sponsor this project. I need a few sponsors to get enough to fund yearly renewals of the cert.
help me find a code signing CA for free.
if you are a CA reading this, consider being generous to open-source contributors like myself.

Please comment if you have concerns or suggestions.

Kevin Jones · Answer 1 · Tue May 19 2020 02:25:10 GMT+0800 (China Standard Time)

For what it's worth, DigiCert seems to have gone off the deep-end with their Code Signing cert prices. You could consider a certificate from Comodo / Sectigo that is about $70 / year.

https://comodosslstore.com/code-signing

There is no reason not to use Comodo. Their certs are fine and just as trustworthy.

Nate McMaster · Answer 2 · Tue May 19 2020 11:30:18 GMT+0800 (China Standard Time)

Thanks for the suggestion, @vcsjones! I think I'll look into that.

Out of curiosity, if I stopped code signing this package, would it impact you at all?

Simon Cropp · Answer 3 · Tue May 19 2020 13:26:46 GMT+0800 (China Standard Time)

i currently maintain ~150 packages with 21mil downloads. so far no one has asked for signed packages. So IMO i dont think it is worth the effort or the cost

Christopher Cook · Answer 4 · Tue May 19 2020 14:09:23 GMT+0800 (China Standard Time)

It's maybe more of an issue when users are installing a desktop app (as administrator even) than when they're using a NuGet package in their build, I've not really noticed signed nuget packages before.

Tim Seaward · Answer 5 · Tue May 19 2020 18:11:17 GMT+0800 (China Standard Time)

I have never seen a dev shop of which I have worked are many, and large financials and package signing is not something that has ever been mentioned...

Kevin Jones · Answer 6 · Tue May 19 2020 20:35:14 GMT+0800 (China Standard Time)

Out of curiosity, if I stopped code signing this package, would it impact you at all?

Frankly, no. Though I am a tool / package author myself, perhaps someone upstream might care, I don't believe anything would change for me.

Nate McMaster · Answer 7 · Wed May 20 2020 07:31:50 GMT+0800 (China Standard Time)

I have never seen a dev shop of which I have worked are many, and large financials and package signing is not something that has ever been mentioned...

That's basically what I suspected. Seems like code signing is most commonly useful if

you want your downloaded Windows installer to pass the SmartScreen (doesn't apply to nuget packages)
Or you are working at a company that has heavy restrictions on open source usage and requires you to enforce NuGet package security rules on download.

For the latter, I've never seen anyone outside of Microsoft doing this, so figured dropping the code signing is unlikely to impact anyone.