I mean, aside from the $100/yr cost, Apple’s signing is the most hassle free you can get. You just sign up and get a certificate. If your app is modified, macOS won’t run it. It’s really good. Just a whole lot of dotting your i’s and crossing your t’s in the actual signing process.
Windows code signing certificates are a nightmare to obtain, and provide little actual protection, but the signing process is easy.
I’d take Apple’s model any day.
What you are not taking in consideration is that I am talking about a movement to remove greed from the equation, in a almost non for profit business. And Apple can’t do that and would avoid such thing to exist if making part of the board. And yes, I am talking about the rest of the non Apple code-signing. You would still be happy the way you like it, Apple would still do the things the way they like in some proprietary Apple way, that’s why Tim Cook and such thing are incompatible.
And after three days I bought the certificates, they are not yet ready 
Oh it has taken me much longer. As I said, obtaining la certificate for Windows is a nightmare.
The bad part is that you paid for something that will take time, increase the difficulty to produce your product, and MAY not remove those blocks you want to avoid unless you paid the EV level and did all the paperwork they will demand. There should be SOME OTHER way to solve this problem in a global fashion and with low prices. Some org should do a joint effort to solve it, as they did to solve the processor development advancements restrictions creating the open hardware RISC-V design or the security increase, for the web, with the “Let’s Encrypt”. Some “Let’s Code Sign” should exist.
Not to mention virus checker’s ‘reputation services’ :
e.g : we never heard of your insignificant little app, so we will tell the customer that it is dangerous and just delete it
It’s all dependent on Microsoft trusting your root certificate. That’s why these cost money and require such verification. It a trusted root is used to sign an excessive amount of malware, Microsoft won’t trust it. Giving the certificates value decreases the abuse, but the verification is where the bulk of the malcontents get filtered away.
We already see issues with some providers not trusting Let’s Encrypt. Luckily most do, but Let’s Encrypt really breaks the chain of trust that is supposed to exist for certificates. The system says “I trust you, and you trust him, so I trust him.” Let’s Encrypt skips the “you trust him” step and just issues a certificate for anybody that asks.
It’s both a good and a bad thing. I use Let’s Encrypt. I do believe that SSL shouldn’t be so expensive. But you’re paying for the verification, not for the certificate.
A “Let’s Code Sign” is more difficult because there’s no domain to show to the user. Nothing is stopping multiple certificates from being issued for the same common name, which is the one shown in the “do you trust this publisher” dialog in Windows. If such a service were to exist, what would stop me from obtaining a certificate in Xojo’s name?
Well, as you are not Xojo, you can’t. I’m not saying let’s remove the trust chain, just to add a new trustee, an org, created by a trusted team as the ISRG was created and maintained by those guys:
And I know they have some smart guys there able to create a better solution for the current model and if Microsoft get a chair there, it’s done.
But that’s my point. There is currently a verification process. To do away with that would allow me to obtain a certificate as Xojo.
And why do you think someone will construct a certification model that does not certify? The idea is just create a way to make it very low cost, easy to apply and get a certification, globally, ending Jeff’s problem and others’, easy to renew, like a click in a button, and cheap as a beer such renew, and with tooling making it easy to sign any apps (except Apple ones, I don’t see them joining in such model).
Because the time required is the verification process. Let’s Encrypt is domain-verified only, not identity verified. It works because it essentially isn’t verified.
How do you solve the verification problem?
Not sure yet. But you know, we have smart guys that speed the process up. You install an app and this app will help us with a more digital way of providing docs, images, ids, etc.we can have decentralized local assistance to check the docs knowing the local rules, and its job is certified by another random peer… A kind of Uber of certification peer reviewed. Something like that.
We have smart guys, and then there’s the people that work at identity verification who wanted me to scan my credit card and email it to them.
I said “we have smart guys” and smart guys building a secure process, involves unauthorized humans not having access to any credit card infos.
In an ideal world, sure. But that’s not the world we live in.
Well, you guys need to know large companies. Such kind of data is collected by automations using secure ways, stored encrypted, and the security of those data are audited. I don’t know, but probably some friend of yours already bought something from Amazon online, or signed Google Cloud, or use Mozilla Firefox, and trust them.
What the hell are you talking about? PCI Compliance is already a thing. The fact of the matter is users still do dumb things with their data, including credit card data. No, Google is not going to leak your credit card data. What’s your point?
No point, just confused by your bipolar opinions.
OK, I’m going to close this before things get further out of hand. Sufficiently strayed from helping OP get his certificate and codesign at this point, anyway.