xpra icon
Bug tracker and wiki

Opened 7 weeks ago

Closed 3 weeks ago

#1499 closed enhancement (fixed)

Digitally sign the installer

Reported by: andrewmunn Owned by: andrewmunn
Priority: minor Milestone: 2.1
Component: client Version: trunk
Keywords: win32 Cc:

Description

Can the installation binary be digitally signed going forward? I think this will help the application get past some corporate security policies once the signing key is whitelisted there.

Attachments (3)

xpra-ca.cer (769 bytes) - added by totaamwin32 7 weeks ago.
self signed CA cert
install-xpra-ca.png (26.7 KB) - added by Antoine Martin 7 weeks ago.
warning shown when installing the xpra ca file
UAC-warning-verified-publisher.png (35.5 KB) - added by Antoine Martin 7 weeks ago.
UAC warning when installing the signed application

Download all attachments as: .zip

Change History (7)

Changed 7 weeks ago by totaamwin32

Attachment: xpra-ca.cer added

self signed CA cert

Changed 7 weeks ago by Antoine Martin

Attachment: install-xpra-ca.png added

warning shown when installing the xpra ca file

Changed 7 weeks ago by Antoine Martin

UAC warning when installing the signed application

comment:1 Changed 7 weeks ago by totaamwin32

Owner: changed from Antoine Martin to andrewmunn

I assume that you are talking about MS Windows installers.

That's now done in r15584 based on the instructions found in How do I create a self-signed certificate for code signing on Windows?.

Note: you will need to install the self signed CA file first using:

certutil -user -addstore Root xpra-ca.cer

You will get a warning that looks like this:
warning shown when installing the xpra ca file

But then when installing the application, the UAC dialog will look less threatening:
UAC warning when installing the signed application

There are signed windows beta builds you can test: http://xpra.org/beta/windows.
@andrewmunn: please close this ticket if that works for you.

Ultimately, we should use a proper CA, but at ~$160 per year. Those don't come cheap.
One benefit of those certificates is that they are apparently trusted on Mac OSX too, so we wouldn't have to pay the apple developer fee to get the PKG / DMG signed (the apple developer account key has now expired, that was complete waste of money: see #1340).

comment:2 Changed 7 weeks ago by Antoine Martin

Keywords: win32 added
Milestone: 2.1

(edit milestone)

comment:3 Changed 6 weeks ago by Antoine Martin

Minor build system update: r15642

comment:4 Changed 3 weeks ago by Antoine Martin

Resolution: fixed
Status: newclosed

Not heard back, closing.

Note: See TracTickets for help on using tickets.