New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign MonoGame exe installer #3189
Comments
So basically... we need $700 a year to get the best certificate which ensures we don't get blocked by Windows Smart Screen filters. That is just too expensive for this open source project. Does anyone know if the free open source certs are good enough to bypass Smart Screen? I don't want to bother getting this all setup just to still get blocked by Microsoft. |
The way I read it is that all certs are acceptable to smart screen but the expensive ones come with a built in reputation wheras the cheaper ones will earn it over time see http://blogs.msdn.com/b/ie/archive/2011/03/22/smartscreen-174-application-reputation-building-reputation.aspx The way i read this as long as we continue to sign our downloads with the same cert and bad files are not detected then it will soon become flagged as 'good'. If you are unsigned and your binaries change a lot then your reputation goes the other way. The free open source ones seem to be proper authenticode certs so they should work the same.. There is much speculation in this post ;-) |
Ok... I've requested a certificate from http://www.certum.eu and should have it in the next few days. The plan for signing is to only install the certificate directly on the build machine. |
Ok... certificate installed on the build server. Now I need to fix up the build script to sign the installer EXE. |
So spent a good 4 hours trying to sign the installer EXE. It seems it says I need a .PFX file for signing the EXE... all I have is a .CER file. Everything I find that says how to make a .PFX from a .CER seems to expect there is a private key with the associated .CER... but at no time during the purchase of our certificate did it ask me for one. So I have no clue where this private key comes from... because I don't seem to have it. I am totally lost. I'll try again next week. |
Anyone have any hints as to what I need to do here? I would really like to get the EXE signed before the 3.3 release. |
Whenever I've done ssl related stuff I've made a CSR (certificate signing request) and they signed the certificate and returned a combination of certificates. When you make the CSR it should have a private key associated with it. Did they just send you a CER and you provided them nothing? |
All I have from them is a .CER file. I don't recall sending them any private key and I have no record here of creating one for this. Maybe I just need to ask them about it. |
From what I recall, when you request a certificate, your browser generates a corresponding private key and stores it in the local certificate store. When you receive the It might be worth mentioning that non-EV certificates [probably] don't (1) carry reputation across between renewals, as hinted at here:
(1) It's all a bit vague, so it's hard to know what's really going on, but I know from personal experience of one case, where after we renewed our code signing certificate, we found that SmartScreen started popping up again, as thought it hadn't carried any reputation over from the old certificate at all, despite the new certificate being registered to the same name. Reputation may then improve for renewed certificates more rapidly than for first-time certificates, but it's really hard to tell - it's a black box system. |
Interesting... i'll give this a try today! |
For OpenRCT2Launcher I also used Certum to get a code signing certificate. |
@runelaenen - Thanks... I really need to fix this ASAP. |
I'm bumping this issue to add some information. I think that the MonoGame dlls should be signed too. I and some other devs I've been talking to are running into an Avast issue. Since mid-november, a bug in Avast's DeepScreen option can make binaries to fully hang if they are not signed. We reached Avast, they didn't acknowledged the bug but instead suggested us to sign all our binaries to bypass DeepScreen... The thing is that Avast told us that for any binary to pass their DeepScreen, it has to be signed with a certificate issued by one of their own root authorities, which they told us is a subset of Windows trusted roots (but we don't know which authorities they excluded). Certum is a trusted root for Windows, so that should be fine, but we can't be sure without asking again Avast. The root authorities can be found by launching (In our situation, we are signing any dll/exe that we ship to avoid being blocked...) |
May as well put a disclaimer on the website saying some antiviruses will block or impede the installer or your game. That's a fairly common thing for binary vendors to say, considering most always-active Antiviruses do more harm than good. Better to just warn people they're already running bossy malware than worry about getting around it. |
Closing as with 3.8 this will no longer be an issue. |
When you install the windows based installer on Windows 8 it is blocked by SmartScreen and shows 'unknown' as the author.
Most developers know what to do to get round it but its more professional to get this correctly signed.
MSDN how to sign in installer http://msdn.microsoft.com/en-us/library/aa368289(v=vs.85).aspx and more http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx
Protection of the private keys is something that needs careful consideration though. They cannot be in the public repo and need to be accessible to as few people as possible. See https://github.com/blog/1390-secrets-in-the-code
This article says that Thawte provides free code signing certs for open source http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aS5Plr02f8Is
This is another company that offer free of open source certs http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
More information on signing here - the EV certificates are very expensive though $500-$700 a year http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx
We use Digicert for guncraft - they were very reliable https://www.digicert.com/code-signing/ev-code-signing-compared.htm
The text was updated successfully, but these errors were encountered: