Crowdfunding a Code Signing Certificate for VB OSE?

Discussions related to using the OSE version of VirtualBox.
Post Reply
Todd Almighty
Posts: 51
Joined: 13. Nov 2013, 13:44

Crowdfunding a Code Signing Certificate for VB OSE?

Post by Todd Almighty »

After all the trouble of building VB without the stupid hardening, I now find that I have to keep my Windows 8.1 machine permanently booted in "test signing" mode even when the VB assets are signed with a valid self-signed certificate that I've added to my root certificate store, in order to run (not just install) VB OSE. Only kernel drivers with cross-signed certs (i.e. from Microsoft, VeriSign, etc.) can be run in normal mode.

So, I'm wondering, is there anything in the forum rules prohibiting me from trying to organize a crowd-funded purchase of a code-signing certificate to sign builds of VB OSE? If not here, then I guess I can try to organize it elsewhere. These certificates are crazy expensive, and I shouldn't have to run a compromised machine when I only want to give a pass to VB OSE, and not every other potential kernel driver out there.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Crowdfunding a Code Signing Certificate for VB OSE?

Post by mpack »

No respectable certification body would issue a certificate to a "crowd". Named individuals and businesses only need apply.

And I disagree that certification is "crazy expensive". I got my company certified through DigiCert, and I don't remember the cost even being an issue. I agree that it's not the sort of thing that individuals would want - or are intended - to do.
Todd Almighty
Posts: 51
Joined: 13. Nov 2013, 13:44

Re: Crowdfunding a Code Signing Certificate for VB OSE?

Post by Todd Almighty »

mpack wrote:No respectable certification body would issue a certificate to a "crowd". Named individuals and businesses only need apply.
Strawman argument. The funding document would specify that should the goal be met, an LLC or equivalent would be created to function as a corporate entity to purchase the cert and sign the code. I don't know the exact purchase requirements but I can't imagine an LLC would be refused just because it wasn't a profitable business
mpack wrote: And I disagree that certification is "crazy expensive". I got my company certified through DigiCert, and I don't remember the cost even being an issue. I agree that it's not the sort of thing that individuals would want - or are intended - to do.
You're the owner of Oracle? If not, what do you mean by "my company"? If your company is successful, why are you working for Oracle?

Minimum cost is $85 that I could find. That's more than I ever paid for any software, and you're claiming I either should pay it, not run OSE, or be forced to run my machine in "test signing" mode?

You say, "I agree" but we're not agreeing. Individuals absolutely would be interested in such a cert, for precisely the reasons mentioned. So I can run OSE without having my machine booted into test mode.
CaptainFlint
Posts: 107
Joined: 9. Oct 2007, 10:17
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Various Windows and Linux distros
Location: Moscow, Russia
Contact:

Re: Crowdfunding a Code Signing Certificate for VB OSE?

Post by CaptainFlint »

Todd Almighty wrote:Minimum cost is $85 that I could find. That's more than I ever paid for any software, and you're claiming I either should pay it, not run OSE, or be forced to run my machine in "test signing" mode?
…and that's probably not what you want. I've seen some companies sell code signing certificates which are not applicable for Windows kernel drivers: Microsoft does not provide cross-certificate for them, and therefore, Windows will not load drivers signed by such a certificate. If by any chance you come to buying a certificate, make 100% sure it's what you need, so you didn't waste money for nothing! Last time I checked, the cheapest one I could find had a cost of at least a few hundred bucks. While not a big issue for a mid-size company, it's definitely not something that a private person would like to throw away, just to be indulgently allowed to run his own kernel-mode software on his own computer. And in any case, a private person without a company would have real difficulty buying such a certificate, even if he wanted to. I've read reports from somebody who tried…

Also, an important note: in Windows 10 with Secure Boot enabled, even such a signature is no longer accepted. For that, one has to buy a EV certificate (which is about twice more expensive, and requires your organization to conform much stricter rules), sign the drivers with it and send them to Microsoft for the so-called Attestation Signing. (Without Secure Boot, however, this is not required; an old-style signature will be accepted just like in previous Windows versions.)
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Crowdfunding a Code Signing Certificate for VB OSE?

Post by mpack »

Todd Almighty wrote:
mpack wrote:No respectable certification body would issue a certificate to a "crowd". Named individuals and businesses only need apply.
Strawman argument.
Do you ever have anything else to say? In fact it wasn't an argument at all, it was an observation based on actual knowledge and experience, which you obviously don't have.
Todd Almighty wrote:The funding document would specify that should the goal be met, an LLC or equivalent would be created to function as a corporate entity to purchase the cert and sign the code.
Yeah, good luck with that.
Todd Almighty wrote: You're the owner of Oracle? If not, what do you mean by "my company"? If your company is successful, why are you working for Oracle?
What in g*ds name makes you think I ever worked for Oracle? Did I ever say that? Does it say Oracle in the panel on the right of this post?? Is it the fact that I participate in an Oracle forum - as you also do? So do you work for Oracle? How many times do you need to be told that this is a user to user discussion forum? Everyone here is a user of the free download. Any Oracle people you see will be clearly identified and here in an unofficial capacity only.
Post Reply