docs: fix lint warnings and clean up references
- Fix MD060 table separator spacing across all docs - Fix MD031/MD032 blank lines around code fences and lists - Fix MD029 ordered list numbering in ecc-setup-guide - Genericize hardcoded app names (LedGrab/MediaServer → YourApp) - Remove non-existent `claude skill install` CLI command - Add staleness warning for ECC Windows fixes - Add cross-link from windows-code-signing to gitea-python-ci-cd
This commit is contained in:
+14
-1
@@ -5,6 +5,7 @@ A review of code signing options for Windows executables (.exe installers), focu
|
||||
## Why Sign?
|
||||
|
||||
Unsigned executables trigger:
|
||||
|
||||
- **Chrome**: "This file isn't commonly downloaded and may be dangerous"
|
||||
- **SmartScreen**: "Windows protected your PC — Unknown publisher"
|
||||
- **Edge**: Download blocked with "unverified" warning
|
||||
@@ -18,6 +19,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
**Cost:** ~$9.99/month (Basic tier)
|
||||
|
||||
**Key advantages:**
|
||||
|
||||
- **Immediate SmartScreen trust** — Microsoft is the CA, so signed binaries are trusted from day one
|
||||
- Available to **individuals** — no business entity required
|
||||
- Identity verification via government ID + address (takes a few business days)
|
||||
@@ -25,6 +27,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
- Microsoft-backed trust chain
|
||||
|
||||
**Setup:**
|
||||
|
||||
1. Create Azure account + subscription
|
||||
2. Provision "Trusted Signing" resource in Azure portal
|
||||
3. Complete identity verification (personal or organization)
|
||||
@@ -53,6 +56,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
```
|
||||
|
||||
**Required secrets:**
|
||||
|
||||
- `AZURE_KEY_VAULT_URL` — Trusted Signing account endpoint
|
||||
- `AZURE_CERT_NAME` — Certificate profile name
|
||||
- `AZURE_CLIENT_ID` — Azure AD app registration client ID
|
||||
@@ -60,6 +64,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
- `AZURE_TENANT_ID` — Azure AD tenant ID
|
||||
|
||||
**Gotchas:**
|
||||
|
||||
- Identity verification can take a few business days
|
||||
- Basic tier shows your verified personal name (not a custom organization name)
|
||||
- Relatively new service — documentation is still evolving
|
||||
@@ -72,6 +77,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
**Cost:** Free for qualifying open-source projects.
|
||||
|
||||
**Requirements:**
|
||||
|
||||
- OSI-approved license
|
||||
- **Public repository on a major forge** (GitHub, GitLab) — self-hosted Gitea likely does not qualify
|
||||
- Project must show community activity (stars, contributors, issues)
|
||||
@@ -90,6 +96,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
**Cost:** OV ~$200-350/year, EV ~$350-500/year + eSigner cloud signing costs.
|
||||
|
||||
**Key facts:**
|
||||
|
||||
- Free open-source program **discontinued** as of late 2024
|
||||
- CA/Browser Forum rules (June 2023) require hardware token or cloud key storage — no PFX file downloads
|
||||
- eSigner cloud service has CLI tools and API, works with any CI
|
||||
@@ -104,6 +111,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
**Cost:** ~$27-59/year for open-source OV code signing (cheapest legitimate option).
|
||||
|
||||
**Key facts:**
|
||||
|
||||
- Requires hardware token (SimplySign cloud or physical card reader)
|
||||
- SimplySign cloud option can work in CI with effort
|
||||
- OV only — SmartScreen reputation must be built over time
|
||||
@@ -127,7 +135,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
## Comparison Table
|
||||
|
||||
| Option | Cost | SmartScreen | CI/CD Fit | Individual OK? |
|
||||
|--------|------|-------------|-----------|----------------|
|
||||
| -------- | ------ | ------------- | ----------- | ---------------- |
|
||||
| **Azure Trusted Signing** | $9.99/mo | Immediate | Excellent | Yes |
|
||||
| SignPath.io | Free | Immediate | GitHub only | Yes (if public repo) |
|
||||
| SSL.com OV | ~$250/yr | Needs reputation | Good (eSigner) | Yes |
|
||||
@@ -138,6 +146,7 @@ These warnings significantly reduce user trust and installation rates.
|
||||
## Recommendation
|
||||
|
||||
**Azure Trusted Signing** is the best option for personal open-source projects:
|
||||
|
||||
- Affordable ($9.99/mo)
|
||||
- Immediate SmartScreen trust
|
||||
- No business entity required
|
||||
@@ -145,6 +154,10 @@ These warnings significantly reduce user trust and installation rates.
|
||||
|
||||
If budget is zero and the project is on public GitHub, try **SignPath.io** first.
|
||||
|
||||
## See Also
|
||||
|
||||
- [CI/CD for Python Apps on Gitea](gitea-python-ci-cd.md) — full pipeline reference including the signing step in context
|
||||
|
||||
## References
|
||||
|
||||
- [Azure Trusted Signing documentation](https://learn.microsoft.com/en-us/azure/trusted-signing/)
|
||||
|
||||
Reference in New Issue
Block a user