Code signing (Windows installer)

[PhilK]

I installed 27.3.0 (x64 Windows) on one of the machines here today and noticed the initial installer security modal dialog box comes up with the publisher listed as "unknown".

But then I logged in to another user account on that machine afterwards and the publisher is listed as Marcus Straver as expected if I launch the installer from that account. (both have admin rights)

Anyone know why it might not have displayed the proper publisher the first time? Different UAC settings on each account?

Strange..

[dark_moon]

I post that in past too.
Only the update is correctly signed.

The normal installer have a sig included too but dont show the publisher info on execution

[Moonchild]

And I explained in the past already why this is. The actual setup.exe is created on-the-fly as part of the installer packaging process, and as such isn't code-signed before put into the (otherwise signed) installer. I haven't had the opportunity to figure out how to interrupt that process to code-sign setup.exe

[New Tobin Paradigm]

We would need to devise a method that is an alt to Mozilla's Signing Server and Services. I need to know more about how you sign binaries now then a solution can be devised.

[Moonchild]

Code signing is done by hand with a batch file run on built binaries for release builds.

mach build -> codesign -> mach package && mach installer

Code signing requires my IV certificate+private key and my password for it. Those will not leave my hands.

[dark_moon]

Today i found that tool: https://www.kcsoftwares.com/?masscert

Maybe it helps you for binary signing?

[Moonchild]

No, we don't have an issue signing binaries and don't need a different tool. Signing itself is not an issue. Mozilla's way of creating the installer in the source is he issue here.