Code Signing is Not Optional

I’ve heard from way too many projects that they can’t sign their applications and binaries. This isn’t true. What it really means is that it’s a hassle for them to do so, or costs them a few bucks In 2025 this is not OK. Code signing, developer attestation, and reproducible builds are mandatory. Open source is not an excuse. The problems of supply chain attacks and malware are far too serious to allow unsigned, unattested software on our devices. Letting projects get away with this because they’re open source and no one pays them is like letting home gardeners pour poisonous pesticides into the water supply. If a hobby project can’t be bothered to navigate code signing requirements, then it shouldn’t be allowed on other people’s computers, any more than we allow home built autos that don’t meet mandatory safety requirements on the public highways or hobbyist drones to fly around airports. There are costs associated with production software, and if you’re not able to pay those costs, don’t ship.

Of course, it’s not just open source developers that have to do this. It’s all software, closed source commercial and enterprise included. And it’s not just a question of ticking the checkboxes. You have to do this right. Recently I’ve noticed a common UI problem in a lot of commercial software when it comes to app signing. Take a look. Do you see it?


Read the rest of this entry »

Would You Entrust Your Data to These Yokels?

You have asked Firefox to connect
securely to www.delldatasafe.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
          
What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

             www.delldatasafe.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)

If Dell can’t even manage their public key certificates, how can I trust them to keep my data safe and secure?

Read the rest of this entry »

Verifying SSH Host Fingerprints

If you use ssh you’re familiar with this message:

~$ ssh rich.elharo.com
The authenticity of host 'rich.elharo.com (192.168.254.36)' can't be established.
RSA key fingerprint is 5a:65:0f:5f:21:bb:fd:6a:5a:68:cd:62:58:5d:fb:9f.
Are you sure you want to continue connecting (yes/no)?

If you’re like me, you regularly just type yes and continue without much thought:

Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘rich.elharo.com,192.168.254.36’ (RSA) to the list of known hosts.

But is that really safe?

Read the rest of this entry »