Shoutout: Azure Trusted Signing
-
Anybody that has ever tried to go through the code signing procedure on Windows will know how absurdly bad the experience is and paying an obscene amount of money to a random company so that your end user will not be screamed at during the installation procedure did prevent me from doing so (at least with the HISE installers).
While the extortion feeling hasn't changed too much, the new service from Microsoft is at least cheaper (like as cheap as doing the same thing on macOS) and the procedure is somewhat reasonable, so I tried again and was rather pleased about the outcome.
I went through this guide:
KoalaDocs/azure-code-signing-for-plugin-developers.md at master · koaladsp/KoalaDocs
Useful articles for plugin developers. Contribute to koaladsp/KoalaDocs development by creating an account on GitHub.
GitHub (github.com)
which took me about an hour of pasting weird strings between places but now it's setup and the HISE installers should be codesigned properly. You need to have a business with a valid tax ID for more than three years and your email must have a unique domain (my first validation was denied because I used a googlemmail account). Apart from that everything went smooth.
-
@Christoph-Hart Does this provide the same level as an EV cert (skipping the reputation issue)?
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
@Christoph-Hart This is useful to know, thanks.
Currently InnoSetup 6.0.3 and LazySign (self signing tool) is working for me...
-
@d-healey yup, the certificate is from Microsoft so the reputation should be fine, but I'm no expert here...
That's what I see when I inspect the signature:
-
Currently InnoSetup 6.0.3 and LazySign (self signing tool) is working for me...
But does this prevent the popup in the installer? Last time I checked this didn't work (I used a self-signed certificate to sign the AAX plugin, but I couldn't get it to silence the installer warning).
-
@Christoph-Hart no it doesn't, but no one ever complains about that as we know. I'm assuming Azure does?
DHPlugins / DC Breaks | Artist / Producer / DJ / Developer
https://dhplugins.com/ | https://dcbreaks.com/
London, UK -
@Christoph-Hart I'll have to do some tests. According to the website it's just base reputation which I believe is a level below what EV provides.
-
but no one ever complains about that as we know.
Yeah it takes a particularly annoying customer that would get vocal about this, but it certainly isn't giving the best first impression. It's not critical and I too have been raw dogging the installers on Windows for years but this is the first time that I think the cost / benefit ratio is reasonable.
According to the website it's just base reputation which I believe is a level below what EV provides.
What additional benefits do the EV certificates have? I just care about getting rid of that nasty popup, I couldn't bother less about making my software more secure lol.
-
@Christoph-Hart said in Shoutout: Azure Trusted Signing:
What additional benefits do the EV certificates have?
If the signed installer doesn't have enough reputation it will be flagged by the smartscreen filter. The user will see warning messages when they try to download or run the installer.
This kind of thing
EV certificate allows you to bypass the reputation building stage - which must be repeated for every new version apparently.
-
@Christoph-Hart said in Shoutout: Azure Trusted Signing:
But does this prevent the popup in the installer?
Submitting to the Defender analysis does, tho it takes 3 weeks. But once you build reputation (either that way or through installs, it won't ever pop up (that was my idea with having an installer that just installs the .dat files you ship with it - you're always shipping the same .exe and don't have to rebuild reputation with SmartScreen for every new patch or plugin.
-
@Christoph-Hart Did you have to go through the whole ordeal of getting a DUNS number?
-
@aaronventure no my Tax ID that I'm using as sole proprietor was fine.
-
@Christoph-Hart is this it here:
Trusted Signing—Managed Signing Services | Microsoft Azure
Secure your applications with a fully managed end-to-end signing service for code, documents, applications, and more with Trusted Signing from Microsoft Azure.
(azure.microsoft.com)
?
DHPlugins / DC Breaks | Artist / Producer / DJ / Developer
https://dhplugins.com/ | https://dcbreaks.com/
London, UK -
@DanH No, the pricing model is mentioned here:
Note that this is preliminary (and I think at the moment it's even free), but I find it quite reasonable.
