For the curious, obtaining an open source certificate involved an application process and passing an audit. This was the response after my initial application. (also realized I introduced a bug in 7.3.1, so 7.3.3 is now out too)
Quote:
We provide a free code signing certificate (issued to our “SignPath Foundation”) and offer our service for free to open source projects. Due to the certificate being issued to our organization, we need to verify that the binary artifact is built solely from the source code in the public GitHub repository. We therefore integrate with CI services and check the configuration. Currently, AppVeyor and GitHub Actions are supported.
We will review your project with a focus on its security aspects and reputation, and we will get back to you shortly.
|