> Paying thousands of dollars per year just so that users can run your free software is ludicrous.
While I agree that requiring code signing certificates to run free software sucks, I'm curious where the thousands of dollars a year comes from? I finally broke down and purchased a code signing certificate[0] last year. The prices varied, but I don't recall seeing any for more than $300, and I was able to get my for $100 which is valid through Windows 10 and works on everything else that uses one of these EV certs. In addition to that, I purchased a Yubikey, which I wanted anyway (and having a desire to protect my code-signing key was the excuse I was looking for to purchase one of those), bringing the total cost for the first year to $140 (and subsequent years at $100). There is certainly a time cost, and it's really fun explaining that "no, I do not have a land-line phone" and "no, I don't get bills from my mobile phone company, but I can print out what qualifies as a bill from my Project Fi page[1]" all while trying to understand the accent of the non-native-English speaker I was working with.
[0] Not purely for signing open-source software, but I use it 99% of the time for signing Open Source software ... and miserable PowerShell scripts so that I don't have to remember to override the default security policy.
[1] The number of eye-rolls around the security theater involved in all of this was comical. They asked for photocopies of 6 or 7 different documents, all of which would have been trivial to forge with any information I wanted if I were so inclined. The only real verification around these documents is the notary requirement -- which, at least where I live, notaries are punished harshly if they don't follow the rules.
While I agree that requiring code signing certificates to run free software sucks, I'm curious where the thousands of dollars a year comes from? I finally broke down and purchased a code signing certificate[0] last year. The prices varied, but I don't recall seeing any for more than $300, and I was able to get my for $100 which is valid through Windows 10 and works on everything else that uses one of these EV certs. In addition to that, I purchased a Yubikey, which I wanted anyway (and having a desire to protect my code-signing key was the excuse I was looking for to purchase one of those), bringing the total cost for the first year to $140 (and subsequent years at $100). There is certainly a time cost, and it's really fun explaining that "no, I do not have a land-line phone" and "no, I don't get bills from my mobile phone company, but I can print out what qualifies as a bill from my Project Fi page[1]" all while trying to understand the accent of the non-native-English speaker I was working with.
[0] Not purely for signing open-source software, but I use it 99% of the time for signing Open Source software ... and miserable PowerShell scripts so that I don't have to remember to override the default security policy.
[1] The number of eye-rolls around the security theater involved in all of this was comical. They asked for photocopies of 6 or 7 different documents, all of which would have been trivial to forge with any information I wanted if I were so inclined. The only real verification around these documents is the notary requirement -- which, at least where I live, notaries are punished harshly if they don't follow the rules.