safe-global
[Desktop app] Sign the code for the Windows build
Overview
Windows Defender thinks out desktop app is a virus. We need to sign the code with an SSL certificate.
Devops did a research on how to best way to do this, and need us to test one promising approach. See instructions below.
Requirements
We've found out several EV certificates providers for code signing (eligible for Microsoft Authenticode validation), most of them are enterprise oriented solutions which involve setting up and operate HSM systems, or use hardware keys to sign softwares. The most interesting service, which could fit our case, is SSL.com, which provides a "remote" signature feature. You can create an EV code signing certificate and use the cli tool to sign softwares with that certificate.
They offer a sandbox we can try out, could you please execute the following tests?
- Create a test account on https://sandbox.ssl.com/
- Generate account and secret keys
- Create EV Code Signing Certificate (after executing the curl command, the certificate will appear on the dashboard)
curl -H "Accept: application/json" -H "Content-type: application/json" -X POST -d "{\"account_key\":\"ACCOUNT_KEY_VALUE\",\"secret_key\":\"SECRET_KEY_VALUE\",\"product\":\"360\",\"period\":\"365\"}" https://sws-test.sslpki.com/certificates
- Download eSigner and try signing windows builds (follow instructions here https://www.youtube.com/watch?v=Br25mZIlKdU&ab_channel=SSLCorp)
