Digital signatures on binaries in tar balls for Windows are missing

[davidanthoff]

The recent tar balls that Juliaup uses to get binaries for Windows contain binaries that are not digitally signed. That is definitely true for 1.10 and 1.9. For 1.6 they are still signed. I didn't check systematically where the signatures are missing.

In addition to going back to signing the .exe files, we should probably also sign all *.dll files, including the system image. We have some reports that on 1.11 on Windows there are some significant UI latency problems (I'll open a new issue for that later) and one (pure theory) is that Windows Defender checking files might be a reason, and AFAIK one way to speed that up is to have all binaries signed with a well known certificate.

Is there a chance to fix this for the next 1.11 beta build? That would be great, because it would allow us to tell whether the latency issue on Windows might just go away with that.

CC @staticfloat because he probably is the only person who can fix this in any case ;)

[staticfloat]

Can you verify that the .exe and .zip distributions are signed? (Not the .exe installer itself, but the contents of what the installer extracts).

My guess as to what's happening is that after we run the Inno setup stuff here, we need to re-compress the tarball, because the Inno setup is what does the codesigning for us, similar to what we do for macOS above.

[davidanthoff]

Yes, both the "installer" and the "portable" link for 64 bit under https://julialang.org/downloads/#current_stable_release have a julia.exe that is correctly signed. So that suggests it is really just the tar balls that have the unsigned exe.

[davidanthoff]

We could also use azure signtool to do the signing, as I do over at Juliaup here. That is the MS approved way of storing the certificate in Azure Key Store (which we already do for Juliaup) and then doing the signing with that azure sign tool. Main benefit is that you don't have to put the certificate on the machine where you are doing the signing at all, so good in terms of protecting the certificate itself.