[tor-bugs] #3861 [Tor bundles/installation]: begin signing Windows packages the Windows way
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Sep 2 13:00:27 UTC 2011
#3861: begin signing Windows packages the Windows way
--------------------------------------+-------------------------------------
Reporter: erinn | Owner: erinn
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by rransom):
Replying to [comment:1 mo]:
> I think you should sign. What you need is the "Core SDK Tools" that ship
with the Platform SDK. You can select to install only those, and AFAIK you
don't need Visual Studio.
`osslsigncode` is a portable open-source alternative, although if we're
planning to switch to Microsoft's toolchain anyway,
>
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11310
(web installer)
>
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24826
(ISO)
>
> More info on how to perform it and screenshots comparing signed and
unsigned executables: http://www.kinook.com/blog/?p=10
>
> "get a code signing certificate (or digital ID) from a certification
authority (CA) such as Comodo, Thawte, VeriSign, and others. You will need
a Class 3 digital certificate for code signing."
Distributing all of our packages as .exe files signed in this manner will
do more harm than good to our users unless they check that each package is
signed by the exact certificate which we use to sign packages.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3861#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list