Why is there no signed security certificate for the Lulzbot Edition of Cura?
For security reasons, our company requires that software installed on our systems includes a signed security certificate. This is a necessary requirement, as many bad actors are using sophisticated techniques to breach IT systems.
I am using the standard Cura package now, because it has a signed certificate. When is Lulzbot going to enter the 21st century and provide one?
Bob
Instead of depending on one of several third-party companies to sign our packages, we use SHA512 checksums for verification of package integrity. Your IT department can compare the SHA512 checksum for the file against the offical checksums here:
Windows: http://download.alephobjects.com/lulzbot/Software/cura-lulzbot/windows/SHA512SUM
Mac: http://download.alephobjects.com/lulzbot/Software/cura-lulzbot/mac/SHA512SUM
Linux: Your package manager will compare the checksum against any of the values we have available: MD5sum, SHA1, SHA256, and SHA512.
As part of our core ethos, we only use Free Software. We’re able to make sure that the global community can contribute back, transparently, by only using software that’s Free as in Freedom, not just free as in cost.
In that case, why can’t you use GnuPG to sign it? Checksums can verify the integrity of a malicious package as easily as a benign one.
I’m confident that your software is not malicious, but IT systems get breached because people develop bad habits that cause costly damage, restricting the freedom of everyone in the global community, including my freedom to use Cura Lulzbot Edition on my brand new Taz 6.
Bob
Ahh, thank you for the suggestion. We will get with our software team to see what we can do!
I’d appreciate whatever you can do.
Thanks,
Bob
One other thought - on the mac, obviously the only way to ‘apple-friendly-sign’ the software is using Xcode and getting an apple developer account. While the software is free, I suspect the account requirement is the stumbling block to getting signed code. For most of us, that’s not a big deal, but they do need to change the install instructions. If the user right-clicks and chooses open on the app, it’ll run and then set the ‘approved’ flag so they don’t have to in the future. Having folks permanently disable gatekeeper exposes them to accidental installs of malicious code.