Summary

Sign the Windows installer with our certificate.

Review Request #6730 — Created Jan. 3, 2015 and submitted Jan. 5, 2015, 1:43 p.m.

Information

Owner

chipx86

Repository

RBTools

Branch

master

Bugs

Depends On

Commit

5d8c7f9...

Reviewers

Groups

rbtools

People

Description

The Windows installer is now signed with our certificate, guaranteeing

that users will see "Beanbag, Inc." instead of "Unknown publisher" when

installing the package. This helps people to know that they're getting

an official installer, and that it's safe to install.
To build a signed installer, our official certificate and private key

must be installed on the machine. We do not bundle those, for obvious

reasons.

Testing Done

Built an installer and ran it. Saw that it said Beanbag, Inc.

Copied the installer to a VM that didn't have the certificate and private
key installed. Ran the installer and saw the same correct certificate info.

Tool: PEP8 Style Checker
Ignored Files:
    contrib/installers/windows/build-installer.bat
    contrib/installers/windows/wix/rbtools.wixproj



Tool: Pyflakes
Ignored Files:
    contrib/installers/windows/build-installer.bat
    contrib/installers/windows/wix/rbtools.wixproj

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to master (bcb7629)

You missed the timestamp parameter so when the certificate expires, old builds will be marked as having an invalid signature.

bcran Jan. 7, 2015, 10:57 p.m.

Also, I don't understand why you replaced SignFile task with Exec. Was there a problem using the SignFile task?

chipx86 Jan. 7, 2015, 10:58 p.m.

SignFile doesn't actually work with MSIs. It results in an error when trying to parse the MSI file.

After Googling around for this, I found a number of people with the same problems, and some guides. The documentation for SignFile said it cannot be used with MSI files, and the responses from people on forums gave this as the solution.

bcran Jan. 7, 2015, 11:56 p.m.

Oops, I'd forgotten that. Back around the start of 2013 I wrote the following on the WiX mailing list:



You can't use the 

MSBuild SignFile task 

(http://msdn.microsoft.com/en-us/library/ms164304.aspx) because it 

doesn't work with .cab files (d'oh!).  I'd recommend adding a 

description and timestamp URL: e.g.:
<Exec Command="signtool.exe sign /sha1 <sha1_from_cert_store> /t 

http://timestamp.globalsign.com/scripts/timstamp.dll /d 

<your_product_name> "%(SignMsi.FullPath)"" />
Or, if you really want it to auto-select which certificate to use!
<Exec Command="signtool.exe sign /a /t 

http://timestamp.globalsign.com/scripts/timstamp.dll /d 

<your_product_name> "%(SignMsi.FullPath)"" />=

The timestamp URL might be comodo, verisign, globalsign etc. depending 

on who your Authenticode certificate was purchased from.

chipx86 Jan. 7, 2015, 11:57 p.m.

It's very possible I read your post on this while I was looking at this :)

I'll be getting the timestamp change up maybe tonight or tomorrow. I'll add you as a reviewer when I have that.