Should Open-Source Libraries be Digitally Signed

Asked 15/4, 2011 at 14:15 Answered 15/4, 2011 at 15:18

Solved c#.net open-source digital-signature authenticode

It is a good practice to always sign executable files (exe, dll, ocx, etc.). On the other hand, with an open source project it may considered disregarding the contributions to the project from all other developers.

This is quite an ethical dilemma for me and I would like to hear more opinions on this from either people who have been in a similar situation or people who contributed to an open source project.

I would like to note that this question is for an open-source project that was written in C# using .NET 4 so when user clicks the executable, he or she will be prompted a warning stating that the file is from an untrusted publisher if it is not digitally signed.

By the way, the assemblies all have strong-naming (signature) already, but they are not digitally signed yet (i.e. using a Verisign Code signing certificate).

Emad answered 15/4, 2011 at 14:15 Comment(3)

Huh? .NET apps don't show an "untrusted publisher" warning when you run them. I build and run .NET apps all the time, and have never gotten the warning you describe from one of them. – Horizon 15/4, 2011 at 14:31

Yes they have, if you download it from the web of course, not the ones that you locally compile. – Emad 15/4, 2011 at 15:6

@Joe White: If you're distributing something with an installer or as an MSI, it will have to be code signed or you'll get warnings from IE and nasty UAC warnings. Here's an example of what you see -- the last screen is what you get from an unsigned executable. – Airlia 15/4, 2011 at 15:24

.Net is a diffrent beast as many features require (especially libraries) require the file to be signed with a strong name key, but those can be self signed with no complaint from the final product (it uses the programs cert not the libraries to pop up that message box you refer to in your original question).

However in the general case I see nothing wrong with a group signing the official distro with a private key. If you do something to the source and recompile technically "the file is from an untrusted publisher" as I may trust Canonical but I do not trust you. As long as the executable being not being signed from a specific publisher does not stop it from being used in the manner it was intended (the tivoization clause in the GPL) I see no reason NOT to sign your executables.

Expertise answered 15/4, 2011 at 14:28 Comment(3)

The problem is, it is not possible to get a group certificate (it requires being incorporated) so the signature will be a personal one. – Emad 15/4, 2011 at 15:7

@Teoman Soygul Someone is the project manager, someone gets the final say what is posted on the website in compiled form and what is not. That is who should be signing the application (if you are doing autenticode). If you are just getting the PGP signature the group can have it's own private key, but likely you still are going to have one person managing it. – Expertise 15/4, 2011 at 15:14

yep getting the executable and the installer package signed by the manager seems to be the way to go as we cant get a corporate certificate, but still.. there will be broken hearts.. – Emad 15/4, 2011 at 15:17

Saying that this is "quite an ethical dilemma" is probably blowing it out of proportion. You definitely want to code sign your executables, and I don't really see the problem with you signing it. For example, TortoiseSVN is signed by "Stefan Kueng, Open Source Developer".

That said, it is probably a good idea to form some kind of legal entity for your project, and then get the code-signing certificate in the name of your project's entity. That way, rather than you personally signing the executable (and thus "taking all the credit"), your project's name shows up as the publisher.

If you were in the US, I would suggest either forming a LLC or possibly a 501(c)(3) organization, which is exempt from income tax and allows individuals to make tax-deductable donations to the project. (Many open source projects organize as 501(c)(3) entities, including WordPress and jQuery.) I see you're in Turkey, so you'll have to research your local requirements for forming some kind of legal entity; once formed, you'll be able to get a certificate from a CA in the name of your project's entity rather than your own.

Airlia answered 15/4, 2011 at 15:18 Comment(2)

josh3736, you beat me :V You're not taking credit by signing the executable, only certifying that it's "true". But this can be done only where there is some sort of entity (e.g. foundation, directive board, etc.) behind the project, and not only a bunch of developers. – Samellasameness 15/4, 2011 at 15:21

@Albiero: Even as a bunch of developers, it's still pretty easy to form an entity to represent your project (at least in my neck of the woods; and if you don't need to deal with being tax-exempt). In Ohio, you need nothing more than $125 and a form with the name of the entity you're forming and your name and mailing address. You don't even need a formal charter or articles of incorporation or anything like that. – Airlia 15/4, 2011 at 15:34

Recommended topics

Hot tags