[Interest] Qt Install Framework - Becoming a Microsoft Known Publisher

Wed Oct 10 08:59:53 CEST 2018

I've looked into this a few times but never really came to a satisfying conclusion. Does anybody know a viable path for free and open source projects? The warnings scare some users off, but I'm sure I'm not alone when I say not about to pay out of my own pocket to better support a platform I don't even use myself, and worse still, one that seems to be actively hostile toward my efforts to support it.

Thanks,
Michael
________________________________
From: Interest <interest-bounces+michael.corcoran=outlook.com at qt-project.org> on behalf of Elvis Stansvik <elvstone at gmail.com>
Sent: Wednesday, 10 October 2018 6:54 AM
To: Nuno Santos
Cc: interest at qt-project.org Interest
Subject: Re: [Interest] Qt Install Framework - Becoming a Microsoft Known Publisher

Den tis 9 okt. 2018 kl 17:54 skrev Elvis Stansvik <elvstone at gmail.com>:
>
> Den tis 9 okt. 2018 17:29Nuno Santos <nunosantos at imaginando.pt> skrev:
>>
>> Christopher,
>>
>> In order to have Microsoft’s SmartScreen saying your company name, you need to buy a EV certificate:
>
>
> Let me add that it's not strictly necessary to use an EV certificate to get rid of SmartScreen. It's possible with a "regular" certificate as well, it just takes some time for the cert signature to become whitelisted at Microsoft (they track user installs).
>
> We use a regular (cheaper) code signing cert from Digicert. For a while, users running our installer would still get a SmartScreen warning, but as the number of installs grew, at some point the warning disappeared due to whitelisting.

For reference, our 3 year Digicert Code Signing Certificate was 535
USD when we bought it.

For signing the macOS application/dmg we use a separate certificate
from Apple we get through their developer program (999 SEK ~ 110 USD).
It's possible that we could use the Digicert one to sign the macOS
build, or vice versa use the Apple one to sign the Windows build, but
I doubt it and haven't investigated, since it's not so much money
anyway.

Elvis

>
> An EV certificate would establish trust faster, and I think the rules behind the whitelisting is rather undocumented.
>
> HTH,
> Elvis
>
>>
>> https://www.globalsign.com/en/code-signing-certificate/ev-code-signing-certificates/
>>
>> It costs around 300 euros a year.
>>
>> There are several providers for this. Globalsign is just one. Then you will receive a usb dongle with your certificate (GlobalSign sends a USB dongle).
>>
>> When you have it, you need to configure it. The provider tells you what to do.
>>
>> After that you need to invoke a command like this:
>>
>>
>> signtool.exe sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 EXE_TO_SIGN
>>
>>
>> Best,
>>
>> Nuno
>>
>> On 9 Oct 2018, at 16:20, Christopher Probst <christop.probst at gmail.com> wrote:
>>
>> Thank-you Nils for your reply.
>>
>>> I think signing your installer should solve this. "Trust" can be bought
>>> with the certificate.
>>>
>>>
>>
>>
>> Please forgive my ignorance, but how does one sign an application with Microsoft? The documentation online seems unnecessary complex for something that should be routine. Any help is appreciated.
>>
>> Thanks,
>> Christopher
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/interest
>>
>>
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/interest
_______________________________________________
Interest mailing list
Interest at qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20181010/d4a67eae/attachment.html>