Sign the installers

[jeroen]

Figure out how to sign the R installers on appveyor. @dlemstra seems to have already figured this out for imagemagick.

[dlemstra]

Feel free to ping me if you need help with this.

[jeroen]

I assume I need to purchase a cert first? What CA do you recommend? Or does windows accept self signed certs?

[dlemstra]

I think you could use a self signed certificate but then your installer will still not show up as trusted. We use a certificate from leaderSSL that was donated to us. I think you do need to "be a organization" to get a certificate from then.

[jeroen]

Fixed via https://github.com/rwinlib/base/commit/c0c522bfc3615d284f4d6c086810da72eac7c238, mostly copied from @dlemstra setup. Thanks!

@dlemstra do you know if the "timestamp" server has to match the brand of the cert I purchased, or can it be any timestamp server?

[dlemstra]

It can be any timestamp server, this one worked the best for us.

[jeroen]

Hmm I just tested and my installer is signed, however I still get the windows defender warning.

Is that something that will disappear eventually? Or should I have gotten a more expensive cert (I used comodo via leaderSSL)

[dlemstra]

I don't think this will ever disappear. I am not sure but it might be possible that the More info shows your certificate.

[jeroen]

Hmm I just checked one of your weekly imagemagick installers and there was no warning. I think I just have to build up some certificate reputation via legitimate downloads.

Are you using a regular or EV-cert?

[dlemstra]

We have a regular certificate.

[jeroen]

This seems to work. Even though my cert is still doesn't have enough reputation :(

[jeroen]

Still getting the Windows defender warnings. Maybe we also need to run the Windows App Certification Kit. According to this page we can simply run the following line on the installer:

appcert.exe reset
appcert test -apptype desktop -setuppath d:\cdrom\setup.exe -appusage peruser -reportoutputpath [report file name]