It’s been mentioned a few times recently that Windows and Mac users are shown various warning dialogs because we’re not signing our installer. Code signing has always struck me as providing little assurance to the user on one side, and as sort of a racket for companies selling code signing certificates. Nonetheless, we might be near a point where it would save us enough hassle to do it.
Here are some questions, interspersed with what I’ve gleaned from a small amount of looking:
- On Windows, we can sign executables with a code signing certificate. The executables we have are the installer, the launcher (VASSAL.exe), java.exe, and javaw.exe.
1.1) What changes for the user if we sign the installer?
This page (mkaz.blog/code/code-signing-a-w … pplication) suggests that signing the installer would result in a slightly less alarming looking dialog when the user run the installer.
Would anything else change?
1.2) What changes for the user if we sign the launcher?
1.3) Are java.exe and javaw.exe already signed? If not, should they be? By AdoptOpenJDK? By us?
1.4) Would signing have any effect on interference by antivirus software?
1.5) What provider would we use for our code signing certificate? Let’s Encrypt, which was the first thing I checked due to their doing SSL certificates for free, doesn’t do code signing certificates. Are there any providers which are free for open-source projects? If not, what’s our cheapest option?
1.6) It looks like we can do the signing on Linux:
stackoverflow.com/questions/182 … ed-distros
stackoverflow.com/questions/252 … s-exe-file
- On Macs, you can sign app bundles, and apparently also shared libraries (stackoverflow.com/questions/534 … pplication). What I’ve read says that you do it with a certificate from Apple that one gets via having one of their $99/yr developer accounts. (Is Apple really the only provider of certificates?)
2.1) What changes for the user if we sign the app bundle?
2.2) Are the AdoptOpenJDK dylibs already signed? If not, should they be? By AdoptOpenJDK? By us?
2.3) Can we sign the app bundle on Linux?
- Do the benefits of all of this justify the effort?