• Martin Nowak (10/10) Aug 31 2022 Glad to announce the first beta for the 2.100.2 point release, ♥
• matheus (4/8) Aug 31 2022 Is possible to share the costs for this?
• Iain Buclaw (27/35) Aug 31 2022 Anywhere in the ballpark of an $750 to $1300 annual fee. Can only
• Guillaume Piolat (7/13) Sep 01 2022 When running an unsigned binary you get a warning at opening,
• matheus (9/18) Sep 01 2022 Wow I didn't know it was so expensive. I mean it was somewhat
• Hugo (6/7) Sep 26 2022 As far as I know, EV certificates are only required for device drivers i...

Martin Nowak <code dawg.eu> writes:

Glad to announce the first beta for the 2.100.2 point release, ♥ 
to the 16 contributors.

http://dlang.org/download.html#dmd_beta
http://dlang.org/changelog/2.100.2.html

As usual please report any bugs at
https://issues.dlang.org

N.B.: We had some delays to clarify the expired EV certificate 
and the next releases will ship without signed Windows binaries 
due to the complications and cost of EV certificates.

-Martin

matheus <matheus gmail.com> writes:

On Wednesday, 31 August 2022 at 13:20:51 UTC, Martin Nowak wrote:
 Glad to announce the first beta for the 2.100.2 point release,

Thanks.

 N.B.: We had some delays to clarify the expired EV certificate 
 and the next releases will ship without signed Windows binaries 
 due to the complications and cost of EV certificates.

Is possible to share the costs for this?

Matheus.

Iain Buclaw <ibuclaw gdcproject.org> writes:

On Wednesday, 31 August 2022 at 15:48:05 UTC, matheus wrote:
 On Wednesday, 31 August 2022 at 13:20:51 UTC, Martin Nowak 
 wrote:
 Glad to announce the first beta for the 2.100.2 point release,

 Thanks.

 N.B.: We had some delays to clarify the expired EV certificate 
 and the next releases will ship without signed Windows 
 binaries due to the complications and cost of EV certificates.

 Is possible to share the costs for this?

Anywhere in the ballpark of an $750 to $1300 annual fee. Can only 
give an estimate as on top of the eye-watering EV prices, there 
may be more equally high fees for attestation and cloud signing.

To put that in context, the original certificate ordered in 2018 
cost only $267 and was valid for **3 years**.  That's a price 
inflation of over 150% year-on-year!

The process has gotten more complex too, as it is now required to 
have some sort of [hardware 
token](https://cabforum.org/2022/04/06/ballot-csc-13-update-to-subscriber-key-prote
tion-requirements/) in order to sign, not exactly CI pipeline friendly.
Cloud-based HSM solutions exist, but at an opaque cost, and our current
workflow will still be broken after getting it set-up anyway.

All this for at most only 12 signed Windows binaries per year 
(maybe 36 if you include the beta and rc releases).  It's getting 
hard to justify proceeding with this cost unless we are *really* 
confident with just exactly what we are doing.

I've only come across one other language compiler that has an 
open issue for a lack of code signed release binaries.  It seems 
that an agreement was made with the Mozilla foundation to use 
their [autograph 
service](https://github.com/mozilla-services/autograph), but 
they've made no progress on it for the last 7 years, and there 
are still no signed releases.

No one has raised an issue so far for all DMD releases since that 
occurred in the last 12 months, so either lack of signing isn't 
an problem, or people are just ignoring/working around whatever 
warning messages you might get for running unsigned binaries (NB: 
haven't used Windows since 2003 so I have no clue what happens 
when you run an unsigned binary).

Guillaume Piolat <first.last spam.org> writes:

On Thursday, 1 September 2022 at 04:34:40 UTC, Iain Buclaw wrote:
 No one has raised an issue so far for all DMD releases since 
 that occurred in the last 12 months, so either lack of signing 
 isn't an problem, or people are just ignoring/working around 
 whatever warning messages you might get for running unsigned 
 binaries (NB: haven't used Windows since 2003 so I have no clue 
 what happens when you run an unsigned binary).

When running an unsigned binary you get a warning at opening, 
that you can ignore.

OV certificate are less expensive than EV certificates, for 
example you can get one at 
https://www.ksoftware.net/code-signing-certificates/ that last 3 
years.

matheus <matheus gmail.com> writes:

On Thursday, 1 September 2022 at 04:34:40 UTC, Iain Buclaw wrote:
 ...

 Anywhere in the ballpark of an $750 to $1300 annual fee. Can 
 only give an estimate as on top of the eye-watering EV prices, 
 there may be more equally high fees for attestation and cloud 
 signing.

 To put that in context, the original certificate ordered in 
 2018 cost only $267 and was valid for **3 years**.  That's a 
 price inflation of over 150% year-on-year!

 ...

Wow I didn't know it was so expensive. I mean it was somewhat 
reasonable back in the day ($267 for 36 months ~ $ 7.41 per 
month), now it can be around  ~ $ 62 to $ 108, too much expensive.

I'm foreigner and if in need I can throw in $ 30.00 per month, 
but I think this must be paid upfront for a year.

But since you said nobody is complaining maybe just let it be.

Thanks for the info,

Matheus.

Hugo <Hugo.Hinterberger gmail.com> writes:

Hi,

 Can only give an estimate as on top of the eye-watering EV prices

As far as I know, EV certificates are only required for device drivers in
Windows.
An OV certificate plus timestamp should be enough to sign an executable for
Windows.

Hugo