Why is there no signed security certificate for the Lulzbot Edition of Cura?
For security reasons, our company requires that software installed on our systems includes a signed security certificate. This is a necessary requirement, as many bad actors are using sophisticated techniques to breach IT systems.
I am using the standard Cura package now, because it has a signed certificate. When is Lulzbot going to enter the 21st century and provide one?
Instead of depending on one of several third-party companies to sign our packages, we use SHA512 checksums for verification of package integrity. Your IT department can compare the SHA512 checksum for the file against the offical checksums here:
As part of our core ethos, we only use Free Software. We’re able to make sure that the global community can contribute back, transparently, by only using software that’s Free as in Freedom, not just free as in cost.
In that case, why can’t you use GnuPG to sign it? Checksums can verify the integrity of a malicious package as easily as a benign one.
I’m confident that your software is not malicious, but IT systems get breached because people develop bad habits that cause costly damage, restricting the freedom of everyone in the global community, including my freedom to use Cura Lulzbot Edition on my brand new Taz 6.
One other thought - on the mac, obviously the only way to ‘apple-friendly-sign’ the software is using Xcode and getting an apple developer account. While the software is free, I suspect the account requirement is the stumbling block to getting signed code. For most of us, that’s not a big deal, but they do need to change the install instructions. If the user right-clicks and chooses open on the app, it’ll run and then set the ‘approved’ flag so they don’t have to in the future. Having folks permanently disable gatekeeper exposes them to accidental installs of malicious code.