briefcase icon indicating copy to clipboard operation
briefcase copied to clipboard
verified publisher icon beeware

Add code signing to the Windows MSI package command

Open freakboy3742 opened this issue 5 years ago • 5 comments

MSI installers can be code signed so that users don't get the "unknown publisher" warning when installing your app.

This blog post seems to cover the steps involved in signing an MSI file; it may be helpful in building a solution.

The --no-sign command line option used on the macOS package command should be mirrored here.

freakboy3742 avatar Apr 19 '20 09:04 freakboy3742

I wanted to start tackling this issue, but then I realized that in order to validate that this is working I need to get a code signing certificate, which costs money.

Do you have a certificate I can use for testing? or a dummy certificate that I could use?

saroad2 avatar Jun 14 '20 14:06 saroad2

We don't; but if you need one, I can cover the cost. Let me know what you need/where to get it, and I can sort it out for you.

That said: most certificate handling code has an option for "self signed" certificates. The cost comes when you want an external party to validate that the certificate is valid, but you can usually generate a certificate that will be valid for the purposes of "being a certificate". This is (or was, before LetsEncrypt) a common approach for testing HTTPS webservers - you can generate a self-signed certificate, but the certificate doesn't have a trust chain, which is what actually provides the security. Is there as "self signed" testing option for Windows app signing? This page would seem to suggest there might be.

freakboy3742 avatar Jun 14 '20 22:06 freakboy3742

I never used code signing before, so I'm not familiar with the specifics of how it is done, but if you say I can use self-signed certificates, that would be more than enough by now for development. Once we finish, maybe we should consider trying out a "real" certificate on one of our BeeWare-based programs (Maybe Cricket for example).

I'll let you know how its's going :)

saroad2 avatar Jun 15 '20 10:06 saroad2

I just stumbled across this and was hyped until I found you also didn't solve signing yet 😄 ... Just fyi: I once dug into it a little and saw that Certum is offering a rather cheap Open-Source certificate. Everything else seems WAY to much for a hobby project.

ewerybody avatar Jun 28 '20 15:06 ewerybody

@ewerybody Thanks for the link. The cost isn't a huge impediment; thanks to some very generous sponsors, we have a small income stream to offset expenses like this. That said, cheap is always nice... :-)

freakboy3742 avatar Jun 28 '20 23:06 freakboy3742