Digital signature of Windows executables

[deajan]

We've already discussed this in one of the issues in zadam's repo.

Windows executables should be signed in order to avoid smartscreen screens.
One solution would be to buy a EV certificate (about $270/year) for the organization, and have one member keep the physical token.

Other solution is I can offer my company's code signing certificate services, but this would mean that I'd need to sign the windows executables (new code signing certificates require physical tokens). Of course, I vouch for my company's certificate ^^

[eliandoran]

@deajan , this sounds wonderful. We have already had a prior discussion when I started working on the Windows installer but I never managed to finish it. Hopefully I will this time. :)

Just a quick question... do you think it would be possible to automate signing? Is the EV token more like a USB stick or more like a offline token generator that requires human interaction?

[deajan]

The bad part, there's no way (I know of) to automate this.
The token is a USB key made by Thales (you can also use a Yubikey FIPS), and on every signature, you need to manually enter a password to "open" the USB token.

[eliandoran]

@deajan , OK, I understand.

I guess we can have GitHub Actions generate the unsigned binary and have a script on your side to sign the binary. And then publish the WIndows installer manually.

[eliandoran]

Created #22 to track it. This is something we need to have.

EV certificate from @deajan would be a great starting point, as proposed here.