Signing the distribution on Windows & Mac
Submitted by Andy Robinson
(I've marked this bug as OS:Windows. It is really Windows and Mac but there's no way of indicating that).
Is there any interest in signing the distributions for Windows and Mac? It certainly seems to me that the current absence of signatures must be a significant obstacle to the adoption of GStreamer on these two platforms which between them account for the vast majority of all desktop computers.
At present on Windows 10 32-bit I download gstreamer-1.0-x86-1.8.1.msi and when I try to run it I get (actually this is the Win7 message but the Win10 message is similar):
"The publisher could not be verified.
Are you sure you want to run this software?".
On Mac OS 10.10 with default security settings I get:
"gstreamer-1.0-1.8.1-x86_64.pkg" can't be opened because
it is from an unidentified developer.
Your security preferences allow installation of only
apps from the Mac App Store and identified developers.
The Mac doesn't allow the option of installing at all.
This will prevent many Windows users and practically all Mac users from installing it. I might be exaggerating slightly, but I would say that these days it is hardly worth producing Windows and Mac distributions at all if they are not signed.
Once the signing certificates are obtained then it's just one more step in the build script. I'm happy to help if I can though it seems to me the certificates should be owned and applied by the GStreamer organization, or by the person who builds the distribution packages. In particular I would be happy to pay the costs, which AFAIK would be something like $99 per year to be a member of the Apple Developer program and I currently pay around $400 per year for an authenticode certificate from Symantec, for Windows signing.
Obviously there is some self interest here on my part : the next release of my company's main product will not require GStreamer but I will be encouraging users to install it to add certain features (e.g. video, and more audio file formats).
Mac: I don't think there are identity checks and they have the concept of developer teams allowing more than one person to be able to sign.
Windows: you need to go through the procedure of ordering and collecting the certificate using the same browser and machine throughout - and I found it has to be IE not Edge. But once you have the certificate you can move the pfx file to a different machine and use it there. Of course, as soon as you send the pfx in an unencrypted email then it could potentially be leaked. There are also identity checks before the certificate is issued, depending on the certificate provider's procedures.
It is all a bit tedious and tricksy to get it set up. If the GStreamer people who prepare the Windows & Mac distributions want to do this then as I've said I would be happy to pay the cost, and this would be the right way to do it, with certificates issued to the GStreamer organisation. But I don't know if you have the time and the desire to make this happen.