I mean, aside from the $100/yr cost, Apple’s signing is the most hassle free you can get. You just sign up and get a certificate. If your app is modified, macOS won’t run it. It’s really good. Just a whole lot of dotting your i’s and crossing your t’s in the actual signing process.
Windows code signing certificates are a nightmare to obtain, and provide little actual protection, but the signing process is easy.
What you are not taking in consideration is that I am talking about a movement to remove greed from the equation, in a almost non for profit business. And Apple can’t do that and would avoid such thing to exist if making part of the board. And yes, I am talking about the rest of the non Apple code-signing. You would still be happy the way you like it, Apple would still do the things the way they like in some proprietary Apple way, that’s why Tim Cook and such thing are incompatible.
The bad part is that you paid for something that will take time, increase the difficulty to produce your product, and MAY not remove those blocks you want to avoid unless you paid the EV level and did all the paperwork they will demand. There should be SOME OTHER way to solve this problem in a global fashion and with low prices. Some org should do a joint effort to solve it, as they did to solve the processor development advancements restrictions creating the open hardware RISC-V design or the security increase, for the web, with the “Let’s Encrypt”. Some “Let’s Code Sign” should exist.
It’s all dependent on Microsoft trusting your root certificate. That’s why these cost money and require such verification. It a trusted root is used to sign an excessive amount of malware, Microsoft won’t trust it. Giving the certificates value decreases the abuse, but the verification is where the bulk of the malcontents get filtered away.
We already see issues with some providers not trusting Let’s Encrypt. Luckily most do, but Let’s Encrypt really breaks the chain of trust that is supposed to exist for certificates. The system says “I trust you, and you trust him, so I trust him.” Let’s Encrypt skips the “you trust him” step and just issues a certificate for anybody that asks.
It’s both a good and a bad thing. I use Let’s Encrypt. I do believe that SSL shouldn’t be so expensive. But you’re paying for the verification, not for the certificate.
A “Let’s Code Sign” is more difficult because there’s no domain to show to the user. Nothing is stopping multiple certificates from being issued for the same common name, which is the one shown in the “do you trust this publisher” dialog in Windows. If such a service were to exist, what would stop me from obtaining a certificate in Xojo’s name?
And why do you think someone will construct a certification model that does not certify? The idea is just create a way to make it very low cost, easy to apply and get a certification, globally, ending Jeff’s problem and others’, easy to renew, like a click in a button, and cheap as a beer such renew, and with tooling making it easy to sign any apps (except Apple ones, I don’t see them joining in such model).
Not sure yet. But you know, we have smart guys that speed the process up. You install an app and this app will help us with a more digital way of providing docs, images, ids, etc.we can have decentralized local assistance to check the docs knowing the local rules, and its job is certified by another random peer… A kind of Uber of certification peer reviewed. Something like that.
Well, you guys need to know large companies. Such kind of data is collected by automations using secure ways, stored encrypted, and the security of those data are audited. I don’t know, but probably some friend of yours already bought something from Amazon online, or signed Google Cloud, or use Mozilla Firefox, and trust them.
What the hell are you talking about? PCI Compliance is already a thing. The fact of the matter is users still do dumb things with their data, including credit card data. No, Google is not going to leak your credit card data. What’s your point?