Digitally signing Windows installer

[WhatDoesTheFoxSay]

Since Radiant is a rare download from a 'stats' perspective (pun intended?), it gets caught by the Windows 10 SmartScreen feature (and Defender). If the app were digitally signed, this hinderance could be minimized.

[vnijs]

Fair point. Our schools IT created the windows installer and, apparently, getting it digitally signed is a bit of a hassle. You obviously don't have to use the all-in-one-installer but we do get a lot fewer questions and comments students since we started using it. If you know how to get something digitally signed and would be willing to contribute I assume I can get the installer script put on github as well.

[WhatDoesTheFoxSay]

Hello! The certificate would need to be a 'code signing' certificate. This is different from a typical SSL certificate (server authentication). Ideally you would get a code-signing certificate from one of the root certificate authorities that's installed by default on all Windows systems such as DigiCert, Entrust, GoDaddy, Globalsign, etc. That way it is trusted (meaning the digital signer, yourself, is known/authenticated). These aren't free as the certificate issuer usually needs to verify your identity for traceability and accountability purposes. Alternatively (less desirable but it is also free) your school's IT department could issue a code signing certificate from their certificate authority, but it won't be trusted by the global community... but that's better than the packages simply being unsigned. To answer your other question on adding it onto your build script... It is a 1-liner for signing it. This site does a good job of showing examples - https://www.exemsi.com/documentation/sign-your-msi/ signtool.exe sign /f certificate.pfx /d "My Description" /p PW1234 /v /sha1 1475F2E273906580AF578416E6ACE8C91AE3E62D /t "http://timestamp.comodoca.com/authenticode" setup.msi

…

On Fri, Aug 21, 2020 at 1:39 AM Vincent Nijs ***@***.***> wrote: Fair point. Our schools IT created the windows installer and, apparently, getting it digitally signed is a bit of a hassle. You obviously don't have to use the all-in-one-installer but we do get a *lot* fewer questions and comments students since we started using it. If you know how to get something digitally signed and would be willing to contribute I assume I can get the installer script put on github as well. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#137 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEDOP24A3IVKFNLBQLUX62TSBYCB3ANCNFSM4QGZ7S3Q> .