undefined | Better HN

0 pointsanaisbetts6y ago0 comments

> And in the end it hardly does anything, as you still get the executable blocked for a month.

This is very much not true - if you have unsigned executables for an app of any scale, 3rd party AV will be extremely Unkind to your app, especially if you try to do updates. Also, how long your app gets blocked depends on how many downloads you get, if your app is popular it can be unblocked in a matter of hours, and once a download URL is deemed trusted, this is largely a non-problem.

Also, while I'll 100% agree that CAs on Windows are a nightmare, the tooling is extremely straightforward, signtool.exe takes your cert file, a password, and an executable, then signs it.

0 comments

1 comments · 1 top-level

pornel6y ago

Except when the signtool.exe defaults to SHA-1, generating a signature that Windows won't accept. And then you need to add an arg for a timeserver. And args in a wrong order just silently generate a useless signature. And documentation for all of it is mostly from IE5.5 era, fragmented over several unfinished reorganizations of MSDN.

And tooling for managing the certs is another pain. Mine required entering a PIN from a GUI every time certs were touched, so I couldn't automate the builds.

j / k navigate · click thread line to collapse