I'm wondering about the feasibility of sharing a code signing certificate among a group of independent developers. EV and OV certificates can be really pricey and alternatives, like those from the Microsoft store, come with significant limitations. This makes it tough for us to distribute open-source projects effectively.
What if we formed a collective of sorts and each member agreed to review the full codebase before approving any signature? I'd be willing to help out by reviewing a few repositories each month if it meant saving on certification costs. Is this approach reasonable, or is it just asking for trouble?
3 Answers
Honestly, I think sharing a code signing certificate is pretty risky. It opens up a lot of potential issues, especially if someone with bad intentions is involved. Each member might say they'll review the code, but how can you truly trust everyone to do it thoroughly? It sounds like a slippery slope to me.
You might want to check out Azure's code signing service—it's pretty affordable at about $10 a month now. It’s designed to be secure, so only the developers or processes you approve can use it. It's a solid alternative to sharing a certificate.
I get where you’re coming from, but your CISO would probably have serious concerns. If one developer misuses that shared certificate, it could put the entire group at risk. It's definitely a high-stakes game when it comes to security.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically