Signed Windows installer and binaries

[drakkan]

For the past 3 years we have signed our Windows installer and binaries using a code signing certificate purchased in 2021 from @asheroto for $160.

This certificate will expire on November 17, 2024.

Since 2021, the certificate industry has undergone several changes, now code signing certificates seem to require an HSM.
This means we are no longer able to export our code signing certificate with its private key and use this in GitHub actions.
We would now either need to have our own GitHub agent and hardware token, use a cloud solution or sign locally.

Providing signed Windows installer and binaries can now cost us up to $1,000 for 3 years and also some manual work if we can no longer use GitHub actions.

If you use SFTPGo on Windows and your company requires a signed installer and binaries, please consider supporting the project in some way. This feature may be removed or restricted to commercial users/companies.

If our Windows installer fails the submission checks to Chocolatey and WinGet because it is no longer signed, we may discontinue those packages as well.

[drakkan]

We have applied for Trusted Signing and submitted our Identity Validation. The pricing for this service is about $120/year.

If accepted we will continue to provide signed installers and binaries to everyone for free.

[asheroto]

If Microsoft requests an industry reference, feel free to list me. If you have trouble getting approved, let me know and I can reach out to our Microsoft Partner Account Manager.

[drakkan]

Thank you @asheroto. I'll let you know.

Trusted Signed is a preview service and is not yet open to everyone.
We do not meet the following requirement

As a business entity, we are a Limited Liability Company (LLC) active since February 2024.

When we submitted the Identity Validation, they also asked for our Azure Seller ID which was previously associated with my sole proprietorship and is about 2 years old. I don't know if they will make an exception considering our seller ID and also that SFTPGo is an open source project actively maintained since 2019. Worth a try.

We are offering to pay $120 per year, in addition to our work to provide everyone with signed binaries for free. I don't think we can do more.

If we are not accepted, we will purchase a code signing certificate from a third party vendor if requested by our commercial users and limit this feature to them, sorry.

[drakkan]

Identity validation failed. We were contacted by a noreply email address and after providing some documents to prove ownership of the domain, validation probably failed when they verified the age of our company.

We have to wait for Trusted Signing service to be generally available or purchase a code signing certificate from a third-party provider but, as explained, in the latter case the cost is quite high. I think we'll tag a new point release before November, 17, this will likely we the latest public Windows version with signed installer and binaries, sorry

[Jaxelr]

hey @drakkan ,

Thanks for posting all these details, I'll just reiterate that I'll be following up with you as soon as we are available to onboard individuals. You can feel free to tag me if you have any questions as well.

[Jaxelr]

Hey @drakkan just FYI, trusted signing is available for indie devs. Apologies for not reaching out before.

[drakkan]

@Jaxelr yes thank you. I now use Trusted Signing in my GitHub workflows to sign Windows binaries and the installer; see the commits referenced above.

I will also be updating the workflows for repositories in the SFTPGo organization in the next few days.

I will wait for the first invoice but I don't expect any surprises, the quota of 5000 signatures/month should not be exceeded

[drakkan]

We have received the first invoice and it was as expected. We will pay about $120 per year to continue providing signed binaries to Windows users for free