soong-construction / dirt-rally-time-recorder

Stage time recorder for DiRT Rally [2.0]
Other
18 stars 2 forks source link

Use code signing to prove trustworthiness #45

Open maxbechtold opened 4 years ago

maxbechtold commented 4 years ago

Code signing the timerecord.exe should prevent "Unknown publisher" dialogs or at least display a name related to this GitHub project (since only self-signing seems to be free nowadays). https://github.com/pyinstaller/pyinstaller/wiki/Recipe-Win-Code-Signing https://stackoverflow.com/a/51443366 https://www.cryptosys.net/pki/manpki/pki_distnames.html

Since this only signs the executable, it might be prudent to provide a hash sum for the individual bundle zips.

Signing .bat files is not possible, so there should be at least some docs explaining how to cope with it when listing or exporting stage times: https://superuser.com/questions/470463/how-to-sign-a-windows-batch-bat-file

maxbechtold commented 4 years ago

Perhaps submitting the executable for analysis could increase its reputation. This would have to be done for every bundle of every release. https://www.microsoft.com/en-us/wdsi/filesubmission/

maxbechtold commented 4 years ago

MS SmartScreen Defender still shows a warning with "Unknown Publisher" for the signed executable. Probably this data is taken from the .exe directly, and could be added as described here: https://pyinstaller.readthedocs.io/en/stable/usage.html#capturing-windows-version-data. This info, together with the bundle hash sum, should convince users that timerecord.exe is genuine.

Unfortunately, I can't get it to work with the current PyInstaller stable version, I should try it once 4.0 is released.

maxbechtold commented 2 years ago

The Defender warning might also be related to the "MOTW" flag of the exe that might be set on downloading of the release. To analyze this, https://github.com/nmantani/PS-MOTW might be helpful