Distributed EXE is not signed

[RyleaStark]

When running the included OMSI Time Sync.exe executable, you are greeted with the Windows Defender SmartScreen informing you that the package cannot be executed without an exception being applied, this behavior should not be expected when you are distributing your software to various repository's around the web.

Instead, please sign your code/executable so your publisher information is included, and so windows can trust the distributed .exe file.

If you need reference on how to sign your code to prevent SmartScreen, please see:

• https://codesigningstore.com/how-to-sign-executable-files-with-code-signing-certificate
• https://stackoverflow.com/questions/48946680/how-to-avoid-the-windows-defender-smartscreen-prevented-an-unrecognized-app-fro

As this is an opensource project - you should look for a Certificate Authority that provides discounted or free signing certificates such as:

• https://www.certum.eu/en/code-signing-certificates/

[Ixe1]

Thanks, I was wondering why this was happening. I will get this resolved now. Sorry.

[Ixe1]

Just to give an update on this issue.

I've checked out Certum and at the moment it looks like I will have to share the city I live in on the certificate unfortunately. I'm not exactly keen on this, I didn't mind my name but it looks like the locality and perhaps even (uncertain yet) my physical address needs to be on the certificate. I'm waiting for a reply from them to get confirmation on what personal details will be shown on the certificate while going through a laborious identity check.

Someone else suggested to try using CodeNotary (as it's free) but I believe that doesn't code sign the EXE file as such. At least when I tried it I saw no digital certificate on the EXE file.

The irony of making something open source and free and I have to actually pay for a certificate that may also reveal some personal details about where I live just so I can satisfy Microsoft's Smartscreen.

[Ixe1]

Unfortunately I'm unable to go ahead with code signing because the digital certificate reveals too much personal information about myself, which might be used in a bad way by certain internet users sadly.

As such I can't directly upload it to Fellowsfilm any longer, but I will try OMSI WebDisk as suggested by someone. I don't know what the rules are regarding posting it in the 'external releases' section on FF if OMSI WebDisk approve the submission instead, but one thing at a time. Otherwise if it's also rejected there due to lack of code signing then this project will just have to remain on Github and be shared as word of mouth, worst case.

I will also use CodeNotary, although I don't think that will help the random SmartScreen warning message that some people may get. Whether true or not I don't know, but I've heard that an unsigned file can become more trusted by SmartScreen as more people download and use it. SmartScreen is very secretive, understandably so, but also feels like a money grab with needing to digitally sign files - which is a bit unfair to open source developers such as myself.

I will re-upload the 'release' here shortly with a some amendments to the README.txt file.

So that's that, I will close the issue.

[RyleaStark]

In lieu of a validated certificate, a self signed certificate is sufficient enough and costs you nothing to do - please look into this as an alternative versus distributing code that is unsigned.

[Ixe1]

In lieu of a validated certificate, a self signed certificate is sufficient enough and costs you nothing to do - please look into this as an alternative versus distributing code that is unsigned.

I see, I've added it to the project's planned features list. It's something I'll add for the next release soon which intends to also, at the very least, add support for OMSI2 'tram' version, optionally automatically detect the timezone offset for OMSI (e.g. if the user went via BCS/CCS) and an optional and simple sound indication of when the manual sync hotkey was pressed and acknowledged by the app.

If I get a self-signed certificate sorted out then should I re-submit it on Fellowsfilm like I originally did or keep it as an 'external release'?

[Ixe1]

In lieu of a validated certificate, a self signed certificate is sufficient enough and costs you nothing to do - please look into this as an alternative versus distributing code that is unsigned.

Just to update on this, as the project is going to transition completely to using a plugin DLL, as I've now managed to get reading from and writing to OMSI's memory working in the plugin itself, I've now started code signing the DLL file (self-signed).

I hope to release the overhauled plugin, and deprecate the 'EXE' of this tool, in the next few days.

However I want to ask again, in case you missed the question, as to whether I should re-submit the new OMSI2 plugin DLL on Fellowsfilm no longer as an 'external release' once it's ready, or keep this as an 'external release' on Fellowsfilm?

Thanks.

[Ixe1]

Going to close this issue due to lack of response.

[RyleaStark]

Heya, Sorry for the delay in response to you on via the issue - once you've deprecated the exe, please resubmit! :)