HACKER Q&A
📣 Rodeoclash

Code signing open source windows applications?


I've spent a month building an open source application for windows [1] mostly assuming that windows worked as it did the last time I built a desktop app (circa 2003). Obviously, things have changed and we now live in new world of Authenticode signed applications! Exciting!

In no particular order:

1. This seems extremely hostile to open source. I have to outlay ~90 AUD per year for the cheapest possible code signing? When I'm not making any money off my product??

2. It looks like have some movement towards a service that will do code signing much in the same way Lets Encrypt offers free certificates in the form of https://www.sigstore.dev/ - has anybody used this? any other options available in the near future that might also solve this?

3. Finally, I'm about ready to give up and just eat the cost. Any suggestions on what provider to use? (I'm based in Australia)

[1] https://github.com/Rodeoclash/vodon-pro

  👤 eatonphil Accepted Answer ✓
I don't sign the build at all for Windows or Mac for DataStation [0]. I'm planning to sign the mac build because it's cheap and not insane. Windows signing is expensive and insane.

[0] https://github.com/multiprocessio/datastation

👤 duped
The tact most free/foss apps take is to not sign the application and users just have to set their permissions for the app accordingly.

You can also charge for signed binaries to cover your costs.

👤 evnix
sigstore would likely not be in the list of Microsoft's accepted certs.

Another option would be to publish straight to Microsoft store which I believe is free.