On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:
On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:
With all of the issues people are having with Windows Defender
now would be a good time to start code signing the Windows
installer and binaries (doing this is the first thing
Microsoft suggests on their page for Software Developers about
Windows Defender false positives).
I propose the D Foundation acquire a code signing certificate
and we start using it for releases. Alternatively any well
known organization member could be the signer (having "The D
Foundation" on the popup sure would look nice though). I'd be
happy to put my money where my mouth is and chip in some of
the money to cover the certificate cost.
I've used StartSSL's code signing certificates successfully
for this purpose but I imagine any vendor will do. The biggest
hassle is certificate format conversion but once you've got
the certificate in the Windows certificate store signing is
just a command line call that can be easily scripted.
There is already an issue created for this here:
https://issues.dlang.org/show_bug.cgi?id=16065
Do you think that a certificate prevents an antivirus to scan
an executable ? I'm laughing out of loud here.
No. Of course not.
To quote Microsoft: "Signing your program’s files in a consistent
manner, with a digital certificate issued by a trusted root
authority, helps our research team quickly identify the source of
a program and apply previously gained knowledge. In some cases
this can result in your program being quickly added to the known
list or, far less frequently, in adding your digital certificate
to a list of trusted publishers."
At work we added class 3 code signing and it helped quite a bit
with McAfee's warnings about our software for end users. In that
case it was warnings about new releases of our software that
hadn't had many installs yet.
Microsoft isn't selling certificates (though it'd be nice if they
offered them like Apple does although with Apple you have to get
a DUNS number which I'm sure you consider a scam as well).
Please share your suggestions for how to help with the false
positive issue (or just continue laughing in ignorance based on
an assumption of something I never said).
