SignPath for Open Source projects

Open Source is ubiquituous

Open source software has become one of the pillars upon which modern software development builds. Without the thousands of high-quality open source libraries and tools, developed and maintained by contributors from all around the world, many of today's popular services and applications would be unthinkable. Due to the enormous success, open source projects enjoy the advantages of free resources for hosting, building and deploying their content.

Challenges of code signing

When it comes to code signing, community-driven projects still face a number of burdens: As they constitute no legal entity, certificate authorities (CAs) refuse to grant a code signing certificate to open source projects (only to individual contributors) and their services are also not yet provided for free. This is where the SignPath Foundation comes into play. Under the umbrella of the SignPath Foundation, open source projects can apply for a free code signing certificate. In order to use the free certificate, the build process has to be fully automated and integrated with SignPath.io, to ensure that the resulting binary results directly from the source code checked into the repository.

Transparency matters

One of the many advantages of open source software is the transparency it provides in respect to which code is executed on your system. However, for compiled programs, this only holds true if the build process is also transparent and reproducible. SignPath tightly integrates with online build systems to ensure that the library or program that is code signed was built only from code checked into the repository.