Certificate revoked

Question

Certificate revoked

Akababa opened this issue 5 years ago · comments

Michael Pang commented 5 years ago

It's blocked by windows UAC -- is this still safe?

Michael Pang · Answer 1 · Tue Dec 03 2019 13:57:36 GMT+0800 (China Standard Time)

Unsigned version from https://code.google.com/archive/p/svg-explorer-extension/downloads works fine.

matt wilkie · Answer 2 · Wed Dec 04 2019 07:02:18 GMT+0800 (China Standard Time)

thanks @Akababa. I added the unsigned binary install programs to the Github releases: https://github.com/maphew/svg-explorer-extension/releases/tag/v0.1.1

matt wilkie · Answer 3 · Wed Dec 04 2019 07:12:01 GMT+0800 (China Standard Time)

Closing this, though resolving #27 and/or #28 will be the real fix (generating new install binaries from current code base).

Kurt Fitzner · Answer 4 · Wed May 20 2020 21:56:23 GMT+0800 (China Standard Time)

Perhaps you want to offer some more details as to why the certificate was revoked. A certificate revocation on a code signing certificate is a serious event. Telling people to just move to an unsigned version doesn't address concerns over, say, why the certificate was revoked in the first place.

Tibold Kandrai · Answer 5 · Wed May 20 2020 22:02:43 GMT+0800 (China Standard Time)

I have no clue why it was revoked. That certificate is so old I have no access to any of it anymore. The free certificate offering for open source code was discontinued, so I don’t actually know from where to get a new certificate cheap. Tibold Kandrai Software Architect & Engineer

…

________________________________ From: Kurt Fitzner <notifications@github.com> Sent: Wednesday, May 20, 2020 3:56:39 PM To: tibold/svg-explorer-extension <svg-explorer-extension@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: Re: [tibold/svg-explorer-extension] Certificate revoked (#29) Perhaps you want to offer some more details as to why the certificate was revoked. A certificate revocation on a code signing certificate is a serious event. Telling people to just move to an unsigned version doesn't address concerns over, say, why the certificate was revoked in the first place. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#29 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAPCDA2CILDDSXOFQXQR6N3RSPORPANCNFSM4JUSMMJA>.

Kurt Fitzner · Answer 6 · Wed May 20 2020 23:07:11 GMT+0800 (China Standard Time)

I would recommend Certum. They offer open source code signing certificates for €25, which is the cheapest I know about. Unfortunately, I don't know of any more free code signing certificates for open source developers.

Tibold Kandrai · Answer 7 · Wed May 20 2020 23:09:28 GMT+0800 (China Standard Time)

Thanks, I was considering that too. They were the ones that offered the free one as well.

matt wilkie · Answer 8 · Sat May 30 2020 14:12:16 GMT+0800 (China Standard Time)

perhaps CodeNotary? See ad post: https://medium.com/vchaincodenotary/developers-unite-against-the-expensive-and-cumbersome-code-signing-certificates-d54342016a64.

Kurt Fitzner · Answer 9 · Sat May 30 2020 19:51:48 GMT+0800 (China Standard Time)

From what I can tell, CodeNotary is a side-channel software verification system that doesn't interface with the Windows installer. How much you have to pay for it no one can actually see, because they are careful not to say anywhere how much you have to pay until after you sign up for the "free 30 day trial". It looks like they have a community edition which is free to use, but I can't verify that with them. Yet another company who thinks that "blockchain" will attract investors. If you are going to force your users to install something to verify your signatures, why not get them to add hash-checking to their context menu? That then will work for all open source projects and not just the ones who use codenotary.