Sign the Windows installer with our certificate.

Review Request #6730 — Created Jan. 3, 2015 and submitted

Information

RBTools
master
5d8c7f9...

Reviewers

The Windows installer is now signed with our certificate, guaranteeing
that users will see "Beanbag, Inc." instead of "Unknown publisher" when
installing the package. This helps people to know that they're getting
an official installer, and that it's safe to install.

To build a signed installer, our official certificate and private key
must be installed on the machine. We do not bundle those, for obvious
reasons.

Built an installer and ran it. Saw that it said Beanbag, Inc.

Copied the installer to a VM that didn't have the certificate and private
key installed. Ran the installer and saw the same correct certificate info.

reviewbot
  1. Tool: PEP8 Style Checker
    Ignored Files:
        contrib/installers/windows/build-installer.bat
        contrib/installers/windows/wix/rbtools.wixproj
    
    
    
    Tool: Pyflakes
    Ignored Files:
        contrib/installers/windows/build-installer.bat
        contrib/installers/windows/wix/rbtools.wixproj
    
    
  2. 
      
david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to master (bcb7629)
BC
  1. You missed the timestamp parameter so when the certificate expires, old builds will be marked as having an invalid signature.
    1. Also, I don't understand why you replaced SignFile task with Exec. Was there a problem using the SignFile task?

    2. SignFile doesn't actually work with MSIs. It results in an error when trying to parse the MSI file.

      After Googling around for this, I found a number of people with the same problems, and some guides. The documentation for SignFile said it cannot be used with MSI files, and the responses from people on forums gave this as the solution.

    3. Oops, I'd forgotten that. Back around the start of 2013 I wrote the following on the WiX mailing list:

      You can't use the
      MSBuild SignFile task
      (http://msdn.microsoft.com/en-us/library/ms164304.aspx) because it
      doesn't work with .cab files (d'oh!). I'd recommend adding a
      description and timestamp URL: e.g.:

      <Exec Command="signtool.exe sign /sha1 <sha1_from_cert_store> /t
      http://timestamp.globalsign.com/scripts/timstamp.dll /d
      <your_product_name> "%(SignMsi.FullPath)"" />

      Or, if you really want it to auto-select which certificate to use!

      <Exec Command="signtool.exe sign /a /t
      http://timestamp.globalsign.com/scripts/timstamp.dll /d
      <your_product_name> "%(SignMsi.FullPath)"" />=
      The timestamp URL might be comodo, verisign, globalsign etc. depending
      on who your Authenticode certificate was purchased from.

    4. It's very possible I read your post on this while I was looking at this :)

      I'll be getting the timestamp change up maybe tonight or tomorrow. I'll add you as a reviewer when I have that.

  2.