Failed to check the publisher of the software when running Valentina

Failed to check the publisher of the software when running Valentina

Modern versions of Windows have a built-in security system which checks that executable files are digitally signed. These signatures help identify the program’s origin and also help protect the program files from tampering. Previously, Valentina was also distributed with a developer’s signature, and now we have lost that capability. In this article, we’ll talk about why this has happened and the implications for Valentina users.

In today’s world, the issue of cyber security is becoming more pressing every day. The rapid development of the internet has closely linked the world and brought it closer. As a consequence, the IT industry is booming. The speed of information exchange is staggering. When Windows first appeared, the Internet was slow and software took a long time to propagate. Now millions of users have access to information the moment it is published. This is creating a crisis of trust. Hacks, spoofing. Without a reliable system to verify the source of the software, sooner or later it could lead to a disaster.

The way the industry has gone about it raises many questions. The big companies want to make money, so they have introduced a system where you are sold air, numbers. In order to verify your identity you have to buy a certificate from them and go through the bureaucratic process of identification.

As soon as Microsoft added digital signature verification to its new products, we thought about buying a digital signature for ourselves. And for several years we successfully paid for the certificate and distributed our digitally signed versions. You can see what this looked like in the picture above. The money to finance the purchase of the certificate was taken from the salary of the project’s main developer. But after losing this income the project is no longer able to buy updates.

It looks like this. In order to start using the certificate you have to buy a special cryptographic card and reader.

The price of such a card is €69. Of course certificate must be purchased separately. That’s another €25.

However, lately this is not enough for us. Since they’ve switched to longer key lengths it’s necessary to upgrade the cryptographic card to a newer one. And that’s another €30.99.

Consequently, the upgrade price for us will be around €60. A huge amount for our budget. And we are not alone. Now and then there are news about projects which refuse to renew certificates and suffer from this.

In our chatroom on Telegram we created a survey and this is the result we got. Most people don’t understand what it is or don’t think it’s necessary. And they clearly don’t appreciate big corporations. The warning mechanism has a design that can easily intimidate an inexperienced user. You can easily expect up to 30% rejection rates among users when trying to launch it.

The philosophy behind Valentina’s distribution model attempts to protect users. Since the project’s source code is open source and will remain so, this gives you a number of unique rights: the right to copy, modify and redistribute as long as the rules of your use remain unchanged. This greatly limits the developers’ ability to make money and breaks their monopoly. The model we have chosen involves active participation of the community in the life and development of the project. We still haven’t fully reached this idealistic situation in its development. The project has received a lot of feedback and ideas for improvement. However, a very small part wants to make a real contribution to the writing of the code or the documentation, hello to those wishing to fill in the wiki.

The situation is further complicated by accusations against us. When we raised the issue of fundraising to purchase a certificate, accusations began to fly that we should not ask users for money when we sell merchandise. This wording of the issue is very surprising and frustrating. People seem to have the wrong impression about the level of sales revenue from which we finance the development of the project. So, apart from the fact that I’m writing these lines and I can hear the ocean and I can see a palm tree from my window. I come home driving my fancy new car, you get the idea .... .

In general, some of the situation around the project needs clarification. As we planned, an ecosystem of businesses, course organisers and bloggers is forming around the project. And that’s great. But no one sees Valentina herself in the pursuit of money anymore. It’s like the crowds getting in front of you and shutting you out completely. All that’s left in sight is a big banner with the words Valentina Project on it. Everyone gets under it and raises their smaller banners - they’re part of Valentina too. And it works. People get the impression that they are buying something from the project. It is not uncommon for unscrupulous bloggers or course organisers to fail to explain the origins of the software to their clients. And such clients come to us with a hundred percent confidence that they have purchased a course from us. People are confused about where the official website of the project is, who the authors are and who they should thank. Do you know the name of the main developer? No, not Gennady. Roman. It becomes important not who actually does the development, but who organizes more master classes and marathons. There is nothing wrong with that. If Valentina does not bring income, no one will deal with it. You just have to keep in mind the cost of development. After all, if a developer goes bankrupt or loses motivation, there will be no one to continue this banquet. Perhaps for all those who are now making money on the project it is just a hype? Until it is here we are here, if not we will find another program.

The project team, in order to survive, not only has to engage in development, but also has to compete in the field of information products with a bunch of projects that don’t have to directly engage in development. This slows down development and makes our contribution unclear.

In classic commerce, you won’t be able to use the project name as you wish. No, you will get your hands twisted and have the shop shut down quickly. You will pay for every copy you buy, not forever, but once a year. And they will charge you the right price. And believe me, it has nothing to do with the quality of the project. If there is no alternative, the quality will not matter, there is nowhere to go. Do you like it? I think not very much. But developers are fed, clothed and confident in the future. And the courses will be conducted only by licensed organizations. That’s the way it is.

The behaviour of people commercially exploiting Valentina demands our reaction. It is a pity that, for lack of understanding among this public, the project itself and ordinary users will suffer. We refuse to support such untidy businesses from our own pockets. We clearly understand that the lack of signatures will hit us too, but there is no other choice in this situation to draw attention to this problem. We are on our own and they are on their own.

Since the launch of the new site, there has been a button on the download page where you can donate. And precisely because it is extremely unpopular, we will not be announcing a fundraiser. Instead we will go a different route.

The next Windows versions of the program will be released without a key. That’s why this article exists. To clarify the current situation. In the future, if the community fails to cope with the Windows warnings, we will introduce the practice of publishing signed collections and charge a small fee for downloading each version. Somewhere around 1-2€ in order to recoup the purchase of the key. This is a forced step. Since we can only rely on the purchasing power of our own users.

What are the alternatives?

• You can use versions from our colleagues at the Seamly2D project. They will most likely never have such problems.
• Or you can purchase a key, create your own builds and distribute to your subscribers. It is not so difficult and the source code is still open.
• Upgrade less often and thus make the cost minimal.
• Don’t use Valentina.

The chances of not needing a certificate are low. The experience of Mac OS users with a similar problem shows that a great number cannot find a solution on their own. And the chaos created by the course organisers and the problem within the project itself makes it impossible to be sure that users clearly know where the official site is. Not only that, but it does not exclude the chance for the project infrastructure itself to be hacked.