Open maxbechtold opened 4 years ago
Perhaps submitting the executable for analysis could increase its reputation. This would have to be done for every bundle of every release. https://www.microsoft.com/en-us/wdsi/filesubmission/
MS SmartScreen Defender still shows a warning with "Unknown Publisher" for the signed executable. Probably this data is taken from the .exe directly, and could be added as described here: https://pyinstaller.readthedocs.io/en/stable/usage.html#capturing-windows-version-data. This info, together with the bundle hash sum, should convince users that timerecord.exe
is genuine.
Unfortunately, I can't get it to work with the current PyInstaller stable version, I should try it once 4.0 is released.
The Defender warning might also be related to the "MOTW" flag of the exe that might be set on downloading of the release. To analyze this, https://github.com/nmantani/PS-MOTW might be helpful
Code signing the
timerecord.exe
should prevent "Unknown publisher" dialogs or at least display a name related to this GitHub project (since only self-signing seems to be free nowadays). https://github.com/pyinstaller/pyinstaller/wiki/Recipe-Win-Code-Signing https://stackoverflow.com/a/51443366 https://www.cryptosys.net/pki/manpki/pki_distnames.htmlSince this only signs the executable, it might be prudent to provide a hash sum for the individual bundle zips.
Signing .bat files is not possible, so there should be at least some docs explaining how to cope with it when listing or exporting stage times: https://superuser.com/questions/470463/how-to-sign-a-windows-batch-bat-file