Windows Code Signing

[Phillipus]

This is to track the issues around signing Archi's Windows binaries:

• Archi.exe - the launcher
• Archi-Win64-Setup-X.X.X.exe - the installer

In January 2023 I paid $99 for an OV Sectigo code signing certificate from the Code Signing Store lasting one year. Since then the Archi Windows binaries have been signed.

That certificate expires in January 2024 but things have changed:

• Price increase to $300 or more per year
• The private key has to be stored on a physical device - an additional $140 for the hardware token

"Starting in May 2023, new industry requirements from the CA/B Forum require that all code signing certificate keys are stored on an HSM or compliant hardware token. As part of implementing these changes, Sectigo has increased code signing certificate prices."

Since January 2023 the Archi build process has been done using GitHub Actions, storing the certificate keys in GitHub secrets. A hardware key would mean that this is no longer possible and would have to be done manually on a local machine.

An option is to use cloud signing with GitHub Actions integration, but the cost can be greater ($600 a year)

Note that there are two types of code signing - Organization Validated (OV), and Extended Validation (EV). To get EV you need to be a legal entity with legal documents and backing. Therefore we can only apply for an OV certificate.

I'm looking for a cheap solution that favours open source projects. Some OSS projects are sponsored by companies who pay for the certificate and optionally host the certficate.

We need to find a solution by January 2024.

[Phillipus]

ImageMagick has the same problem. See https://github.com/ImageMagick/ImageMagick/discussions/6826

"Today our code signing certificate will expire. For many years LeaderSSL sponsored us with a code singing certificate but they are no longer able to do so. Since June of 2023 the CA/B Forum requires that OV code signing private keys be stored on a FIPS 140-2 Level 2 or Common Criteria Level EAL4+ certified device. This means we are no longer able to export our code signing certificate with its private key and use this in GitHub actions. We would now either need to have our own GitHub agent and hardware token or use a cloud solution (e.g. digicert). Our preference would be to use a cloud solution that integrates with GitHub. Digicert seems to be our only option now but a certificate there would cost $629 (tax excluded) for a single year. If your organization requires a signed installer then please consider sponsoring us with a code signing certificate."

[Phillipus]

See comments on Hacker News:

https://news.ycombinator.com/item?id=38055816

[Phillipus]

ImageMagick has the same problem. See ImageMagick/ImageMagick#6826

It turns out that ImageMagick got a deal to use Azure Code Signing:

https://github.com/dlemstra/github-stories/tree/main/2023/ImageMagick%20now%20uses%20Azure%20Code%20Signing

[Phillipus]

I bought an Open Source Developer certificate and card reader from Certum for a year. The binaries can be signed manually using a Windows machine with the USB card reader and entering a PIN code. So no more GitHub automated build.

Also note that even though the binaries are signed, if you download the next version of Archi for Windows (using the Edge Browser) Windows will still warn that the file "...is not commonly downloaded and could harm your computer" due to the "SmartScreen" filter. This will be the case until it has got enough "reputation". So it seems that signing the binary is pretty pointless, anyway.