![]() Despite how much fun I’m having, I don’t want this to be an annual event.Įxpect the vetting process to take a while (a couple weeks). I’m hoping to set-it-and-forget-it for 3 years. After reading this article, they later saw success (1 week turnaround) with GlobalSign. One commenter went with Sectigo, waited months, only to find the cert didn’t work with Azure for some reason. Let me know in the comments if you’ve tried other providers. I know 2-3 very unhappy devs who were assuming ECC would work (and were sold “ECC code signing” certificates from resellers). You’ll need an RSA only certificate to pass SmartScreen. On GlobalSign, for example, you want to buy the HSM Implementation.ĭo not buy ECC certificates (such as ECDSA) from providers like Sectigo or resellers. When ordering, make sure you are NOT getting a physical key. I went with GlobalSign because they advertise and have explicit support for using Azure as certificate storage. Prefer Amazon? Sorry, they don’t support OV/EV storage at this time. Prefer Google as your corporate overlord of choice? Apparently someone made a GitHub Action for Google KMS and Michał has written an extremely extensive article on his journey with Google KMS. If you just want to fast forward to the end result, check out my Pamplejuce template on GitHub. We’re going to use Azure to store the key and GitHub Actions to do the signing. And you’ll might need to pay a bit ($5/mo) for opportunity to store your cert on a cloud HSM. Microsoft won’t offer you the cert, but they’ll host it. Luckily, the industry is in transition (read: □□□) and both Google and Azure offer “cloud HSM” services.That’s pretty incompatible with modern development workflows that use CI… which is the motivation for this blog post. The “old school” method is still dominant: Certs are deployed on a physical dongle, referred to as a Hardware Security Module (HSM).It’ll cost you to interact with these cert issuers, both in time and money.You’ll have the absolute pleasure of selecting which one of the cabal of slow moving, expensive enterprise companies (sporting websites looking like they were made in 1999) you’d like your soul crushed by. You need a EV cert from a third party issuer (not Microsoft).Plus, you can store that cert itself as a secret in CI. On macOS, you pay a flat rate to Apple to have a dev account - a code signing cert and service is just one of the many benefits. You’ll need to manually upload every single version though… What’s the damage? I’ve been hearing some indie devs say this helps the individual binary gain (good) reputation. You can do this if they are triggering smart screen or even preemptively before having users download them. Reallllly adverse to paying money and / or reallllly new and small and indie? In that case you can try manually uploading your binaries to be analyzed by Microsoft. Only the EV cert solves the issue completely. Each binary will need to “gain reputation” over a certain amount of time (a month?) before it’s marked as safe. That’s a pain in the neck and it will still throw up Malware warnings under circumstances you can’t control - especially while getting started as a business. No, you don’t want the (cheaper) OV cert. To resolve this friction, you’ll need to cough up and pay the certificate mafia a yearly fee for an “Extended Validation” (EV) code signing certificate. (Microsoft adding this much friction to the code signing process is also unfriendly, but hey, that might be finally changing!) Adding friction at the start is unfriendly - especially for less technical users, who might not know what action to take. Installation is the start of the user’s first experience with your product. Your installer will throw up a Malware warning on Windows by default. They have stopped taking additional people into the preview, citing an imminent public launch (likely with the next big Windows announcements). Until then, come navigate this just-barely-functional world of enterprise code signing with me.Ģ024 Update: Azure is working on a Code Signing product and it’s now in Private Preview, along with a companion GitHub Action. I ended up speaking with several helpful members of the GitHub Actions team about improving both the process and the documentation. It’s enough of a problem that in 2022, I cold-emailed the CEO of GitHub about the difficulty of building deployable Windows apps on GitHub infrastructure. This process is surprisingly difficult and not well documented. ![]() This post walks through what it takes to code sign Windows installers in the cloud with an Extended Validation (EV) cert.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |