Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenTTD's Windows installer should be signed #8056

Closed
LordAro opened this issue Apr 3, 2020 · 3 comments · Fixed by #9294
Closed

OpenTTD's Windows installer should be signed #8056

LordAro opened this issue Apr 3, 2020 · 3 comments · Fixed by #9294

Comments

@LordAro
Copy link
Member

@LordAro LordAro commented Apr 3, 2020

Version of OpenTTD

1.10.0, but all

Expected result

Running the installer should work seemlessly

Actual result

Windows Defender SmartScreen complains about the installer being from an unknown location, resulting in a worrying error message that you need to know that you can click past to continue.

image

Steps to reproduce

  • Download the installer
  • Run the installer
  • See window

We need to get an EV code signing certificate from somewhere - https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
And run it (securely) on the generated installer (something like this, but we're not yet using Actions for actual OTTD) https://github.com/dlemstra/code-sign-action

@TrueBrain
Copy link
Member

@TrueBrain TrueBrain commented Apr 4, 2020

EV code signing certificates are expensive. Like, 400 euro a year, expensive. This is a lot of money to sign code. Money that could have been spent better, tbh. It is a bit sad, companies ask this much for these kind of certificates. Don't get me wrong, an initial 400 euro I could understand, they have to validate you etc. But every year if you extend your cert .. that is unbelievable. Anyway, I am ranting.

There is one company that helps out Open Source: https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-1022.html
It is 25 euro a year + buying a SmartCard (and a reader, I guess :P) once. So that is much more okay for a project like this. It is only not an EV cert. That means that the SmartScreen Filter still kicks in, while we would grow reputation. It is totally unclear how the growth of reputation works. It does remove "Unknown Publisher", and replaced with what-ever legal entity requested the Code Signing Cert. But it still shows a similar screen.

This comment just to get this ball rolling a bit :)

@TrueBrain TrueBrain changed the title OpenTTD's installer should be signed OpenTTD's Windows installer should be signed Apr 4, 2020
@TrueBrain
Copy link
Member

@TrueBrain TrueBrain commented Apr 14, 2020

As this is an ongoing discussion on several levels, I put out a gist with a summary of what we know:
https://gist.github.com/TrueBrain/d8ec26316a4c4b9f5d6e0b4e84d96db7

I could use advise (backed up with reading material, of course). This really feels to us like a HTTPS certificate felt 3 years ago. Difficult to navigate, you don't really know what you get, and you hope everything works out for the best. So any guidance is apperciated.

@orudge
Copy link
Contributor

@orudge orudge commented Apr 13, 2021

I'll perhaps have a look at another certificate supplier and give this another shot...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants