TagStudio icon indicating copy to clipboard operation
TagStudio copied to clipboard

Published 20 hours ago verified publisher icon TagStudioDev

[Feature Request]: Provide an `.MSIX` installation package.

Open RokeJulianLockhart opened this issue 1 year ago • 8 comments

Description

Although a Windows installer has been added (as https://github.com/TagStudioDev/TagStudio/issues/130#issuecomment-2112964211 explains) it's quite retrograde. EXE has been replaced MSI, which was replaced by APPX, which has been replaced by MSIX. Anything except MSIX is not recommended by Microsoft, because it's not suitable for large-scale management (like via PowerShell and 1st-party deployment tools).

Solution

Even as a user (rather than an administrator) if you've ever installed an MSIX package, you'll know what a breeze it is – the GUI is always the same, because it uses the included MSIX installation tool from Microsoft.

Additional rationale is available at https://github.com/felixrieseberg/windows95/issues/221#issue-833287302.

Alternatives

Type Rationale
.appInstaller Basically an .MSIX.
.appX Directly replaced by .MSIX, which should be easier to work with.
.MSI Better than an .exe, but that's all.

RokeJulianLockhart avatar Jun 03 '24 12:06 RokeJulianLockhart

One roadblock to this is that MSIX packages appear to need to be code signed to run on a system not running in developer mode. So $100-300/yr for the project to maintain signing capabilities depending on who you get the cert through.

Loran425 avatar Jun 10 '24 02:06 Loran425

https://github.com/TagStudioDev/TagStudio/issues/241#issuecomment-2157048623

@Loran425, that is a pain. Might be worth following https://github.com/microsoft/msix-packaging/issues/332#issuecomment-650809083, in case the decision there changes. However, are you certain about the lesser issue - that the certificate must be bound to the package on a non-developer mode OS installation? I would doubt that, considering that MicrosoftDocs/msix-docs/blob/730f4c2800902eb04de976929ff335ff2d24ea60/msix-src/package/sign-app-package-using-signtool.md#prerequisites doesn't mention it (and it would be logically strange).

Might be worth asking about at microsoft/msix-packaging/discussions/new?category=q-a.

RokeJulianLockhart avatar Jun 10 '24 11:06 RokeJulianLockhart

I'm not certain about the caveats around developer mode vs a typical install, I've honestly found it quite difficult to find information about MSIX at all. What does remain true is that code signing is required for typical usage, and unless you want to deal with having a user install your certificate (.crt) file you must go through a CA which creates a yearly cost. One exception is distributing on the Microsoft Store, but relying on that means relying on that store being the only place of distribution, and thus is undesirable. In that state of things, I do not see us packaging with MSIX. I could see an MSI (or APPX but I don't know much about it) in the near future, though, which is at least better than a lone EXE.

xarvex avatar Jun 11 '24 07:06 xarvex

https://github.com/TagStudioDev/TagStudio/issues/241#issuecomment-2160023902

@xarvex, the primary benefit of .MSIX for me is its ability to be easily managed by PowerShell via native commands, and its very standardized filesystem layout. No alternative provides those, except .APPX, but .APPX is a necessarily dead technology due to its unnecessarily sandboxed nature. .MSI doesn't provide any of these capabilities - it's solely an improvement over mere binaries because it abstracts the registry entries for the invocation and (un)installation .lnk files.

RokeJulianLockhart avatar Jun 11 '24 10:06 RokeJulianLockhart

@RokeJulianLockhart it looks like you are the one who knows the most about MSIX, so feel free to open PR with Github Action for creating MSIX.

yedpodtrzitko avatar Jun 11 '24 10:06 yedpodtrzitko

https://github.com/TagStudioDev/TagStudio/issues/241#issuecomment-2160444480

@yedpodtrzitko, I do wish I did. Unfortunately, @xarvex was correct that there's not much documentation. If I can, I shall, but I've not even used GH Actions yet (I use GitLab mostly).

RokeJulianLockhart avatar Jun 11 '24 11:06 RokeJulianLockhart

For right now I'm going to leave this as a wontfix as we don't have the resources to explore CA signing. However, I will leave this issue open to continue tracking, it's not something I want to dismiss. Wishful thinking says maybe at some point there will be a change of heart at Microsoft about this.

I hope everyone can understand the stance taken.

xarvex avatar Jun 11 '24 18:06 xarvex

@xarvex @RokeJulianLockhart

It looks like signpath.io provides low-cost or free certificates to open source projects. It also looks like they are trusted by Rainmeter, vim for Windows, and Transmission.

hi5a avatar Aug 24 '24 17:08 hi5a