Code signing Github action support for opensource projects

Hi there,

I have an open source project (https://github.com/fortio/fortio/releases) with binary distributions for various OS, docker images as well as homebrew for macos etc…

I would like to make a windows distribution of the binary without my users getting the dreaded “windows protected your pc… unknown publisher” dialog when running

I don’t really want to spend a ton of money to get a signing setup for an opensource project

Wouldn’t it be great if github, being owned by microsoft, supported signing binaries through github actions (ci/cd) for free for opensource projects “big enough”? (some way to identify the authors, maybe a new field in addition to License)

Thanks
Laurent

1 Like

@ldemailly I think this would be awesome. There are some obvious problems that would need to be solved. I am not sure “big enough” is the right metric. It should rather be “trusted enough”. I never understood how paying money to a signing authority meant one was “trusted enough”. I leave it to the security experts at github to sort out these sorts of problems. I think an author registry for autosigned binaries would be a step in the right direction.

Hi @ldemailly,

Glad to see you in Github Community Forum!

According to the policy, it’s recommended to raise a feedback ticket in below link where github product manager will take a review:

In the other hand, on you windows machine(eg: windows 10), you can disable it in the ‘windows setting’:
windows Defender Security Center -> App&browser control -> Check app and files -> turn it ‘Off’.

Thanks