In most OS nowadays, signed software are the standard and non-signed ones are flagged as insecure. It is important that Kiwix signs its binaries so that beginners (one of our main targets) feel safe when using Kiwix.
It is important to note that signing software doesn't bring much more security. Still it brings to information to the user:
- The software being executed has been produced by the entity who signed it. In our case, user will know that this version of Kiwix has been made by Kiwix developers and not someone else.
- The software being executed has not been altered. It is the released version.
How to sign packages vary depending on the target system.
Mac OS X
In OSX, starting with version 10.7, not signing an application results in a big warning when the software is launched. It completely prevents the user to open it unless he does one of the following:
- Right click to specifically request opening (must happen every time the software is launched)
- Edit System Preferences and allow all non-signed packages to be executed.
- An Apple Developer Connection account with a Mac Developer Program subscription ($99/year). I believe we need to pay this only first year (to get the certificate) but we'll have to verify that later. It is different from iOS so if we want to publish an iOS version, that's another $99/year.
- Request an Apple Certificate. Note: OSX accepts only Apple certificates despite what other certificate sellers claim.
From there, we will have a certificate installed on our building machine (buildbot) and the process is simple:
echo --sign frameworks --codesign --force --verify --verbose --sign "Developer ID Application: <KiwixID>" Kiwix.app/Contents/Frameworks/libclucene.dylib
It is important to know that we need to sign every single dylib which means a lot in Kiwix.
We will have to add another step to the builbot recipe to sign the build. This step will happen after everything is built but before the dmg is closed.
Windows is a little more permissive than OSX. In Windows, the default behavior is to display a warning dialog asking the user if he really wants to launch an unknown software.
In Windows, most of the time, only the installer is signed because every action conducted by a signed binary inherits its authorization.
For Kiwix, we will still need to sign both the installer and kiwix.exe since we also use kiwix.exe directly in Live/Portable mode. Should we want to have an additional program for autorun or else, we would have to sign it too.
- Windows 7 box with Windows 7 SDK and .NET 4 Framework
- Certificate from COMODO or GoDaddy (~$170 for 3 years).
SignTool sign /fMyCert.pfx /pMyPassword Kiwix.exe