alexei.dolgolyov/claude-code-facts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b563c235edb6232777782d2156a16fdb1258529
claude-code-facts/windows-code-signing.md

5.4 KiB
Raw Blame History

Windows Code Signing for Open-Source Projects

A review of code signing options for Windows executables (.exe installers), focused on personal/small open-source projects distributed outside the Microsoft Store.

Why Sign?

Unsigned executables trigger:

  • Chrome: "This file isn't commonly downloaded and may be dangerous"
  • SmartScreen: "Windows protected your PC — Unknown publisher"
  • Edge: Download blocked with "unverified" warning

These warnings significantly reduce user trust and installation rates.

Options Reviewed (2026)

1. Azure Trusted Signing (Recommended)

Cost: ~$9.99/month (Basic tier)

Key advantages:

  • Immediate SmartScreen trust — Microsoft is the CA, so signed binaries are trusted from day one
  • Available to individuals — no business entity required
  • Identity verification via government ID + address (takes a few business days)
  • Cross-platform CI tool (AzureSignTool, .NET-based)
  • Microsoft-backed trust chain

Setup:

  1. Create Azure account + subscription
  2. Provision "Trusted Signing" resource in Azure portal
  3. Complete identity verification (personal or organization)
  4. Create certificate profile
  5. Create Azure AD app registration for CI credentials (client ID + secret)

CI integration (Gitea Actions / GitHub Actions):

- name: Install .NET (for AzureSignTool)
  uses: actions/setup-dotnet@v4
  with:
    dotnet-version: '8.0'

- name: Sign installer
  run: |
    dotnet tool install --global AzureSignTool
    AzureSignTool sign \
      -kvu "${{ secrets.AZURE_KEY_VAULT_URL }}" \
      -kvc "${{ secrets.AZURE_CERT_NAME }}" \
      -kvi "${{ secrets.AZURE_CLIENT_ID }}" \
      -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" \
      -kvt "${{ secrets.AZURE_TENANT_ID }}" \
      -tr http://timestamp.digicert.com -td sha256 \
      build/MyApp-setup.exe

Required secrets:

  • AZURE_KEY_VAULT_URL — Trusted Signing account endpoint
  • AZURE_CERT_NAME — Certificate profile name
  • AZURE_CLIENT_ID — Azure AD app registration client ID
  • AZURE_CLIENT_SECRET — Azure AD app registration secret
  • AZURE_TENANT_ID — Azure AD tenant ID

Gotchas:

  • Identity verification can take a few business days
  • Basic tier shows your verified personal name (not a custom organization name)
  • Relatively new service — documentation is still evolving
  • Requires Azure subscription (free tier works, signing resource costs $9.99/mo)

2. SignPath.io (Free, but restrictive)

Cost: Free for qualifying open-source projects.

Requirements:

  • OSI-approved license
  • Public repository on a major forge (GitHub, GitLab) — self-hosted Gitea likely does not qualify
  • Project must show community activity (stars, contributors, issues)
  • Signing uses SignPath's own certificate (not yours)

SmartScreen: Immediate trust (SignPath's cert has established reputation).

CI/CD: Native GitHub Actions integration only. Poor fit for Gitea Actions — would require mirroring to GitHub.

Verdict: Best free option if you have a public GitHub repo. Not viable for self-hosted Gitea.

3. SSL.com

Cost: OV ~$200-350/year, EV ~$350-500/year + eSigner cloud signing costs.

Key facts:

  • Free open-source program discontinued as of late 2024
  • CA/Browser Forum rules (June 2023) require hardware token or cloud key storage — no PFX file downloads
  • eSigner cloud service has CLI tools and API, works with any CI
  • EV certificates provide immediate SmartScreen trust; OV needs reputation

Verdict: Expensive for personal projects. Only makes sense if you need EV and can justify the cost.

4. Certum (Asseco, Poland)

Cost: ~$27-59/year for open-source OV code signing (cheapest legitimate option).

Key facts:

  • Requires hardware token (SimplySign cloud or physical card reader)
  • SimplySign cloud option can work in CI with effort
  • OV only — SmartScreen reputation must be built over time

Verdict: Cheapest paid option. Good budget choice if you can wait for SmartScreen reputation.

5. Self-Signed Certificates

SmartScreen impact: None.

  • Provides zero SmartScreen benefit
  • May trigger more aggressive antivirus warnings than unsigned binaries
  • Only useful for internal distribution with controlled trust stores (Group Policy)

Verdict: Pointless for public distribution.

Comparison Table

Option Cost SmartScreen CI/CD Fit Individual OK?
Azure Trusted Signing $9.99/mo Immediate Excellent Yes
SignPath.io Free Immediate GitHub only Yes (if public repo)
SSL.com OV ~$250/yr Needs reputation Good (eSigner) Yes
SSL.com EV ~$400/yr Immediate Good (eSigner) Yes
Certum Open Source ~$30-60/yr Needs reputation Moderate Yes
Self-signed Free None Easy N/A

Recommendation

Azure Trusted Signing is the best option for personal open-source projects:

  • Affordable ($9.99/mo)
  • Immediate SmartScreen trust
  • No business entity required
  • Clean CI integration with any platform

If budget is zero and the project is on public GitHub, try SignPath.io first.

References

Reference in New Issue View Git Blame Copy Permalink