Investigate signing Windows and macOS binary executables

[devinbileck]

Launching the installation exe on Windows 10 triggers Windows Defender SmartScreen (see below). To install you have to select More info and then click Run anyway.

In order to prevent this, we will need to investigate signing the executable.

[ManfredKarrer]

Signing for windows is long time on our todo list. That would be definitely good.

[devinbileck]

@ripcurlx feel free to assign this one to me to investigate. Unless you have some ideas.

[devinbileck]

Since Bisq is a decentralized project and team, there is no official business entity to register and sign the code signatures as required by certificate authorities.

Potentially a single trusted contributor could register and manage the code signing, likely as a bonded role.

However, Bitcoin Core has implemented code signing by having some core developers create an association with the single purpose of registering for code signing certificates. To quote their website (https://bitcoincorecodesigning.org/):

Bitcoin Core signs its Windows and macOS binaries with code signing certificates. Those certificates either need to be bound to an individual or a company organization. Bitcoin Core is purely an open source project and has no legal entity, thus, some of the Core Developers have founded an association with the single purpose of registering for code signing certificates.

So Bisq could potentially follow suit and create an association just for the purpose of registering for code signing certificates. This approach would likely still require a bonded role for all those involved.

@ManfredKarrer @cbeams @ripcurlx Do you have any comments or suggestions on which approach and whether to proceed?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ManfredKarrer]

Still a priority!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[devinbileck]

Still relevant

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[devinbileck]

Still relevant.

[ripcurlx]

To reduce unnecessary OS warnings and AntiVirus issues on Windows we need to sign our Windows builds.

• https://docs.microsoft.com/de-de/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)
• https://docs.microsoft.com/en-us/windows/win32/appxpkg/how-to-create-a-package-signing-certificate

I'll apply for a certificate to have everything ready for v1.2.1

[ripcurlx]

@devinbileck It would be great if you could help out if I'm stuck on the way. Or maybe even prepare the build file for Windows to make the signing of the executable as easy as possible 😄

[devinbileck]

Sure! Let me know when you start the process and if you need any help.

[ripcurlx]

Ok, as I was able to package and sign our installer with a self signed developer certificate. I'll buy an official code signing certificate next.
I looked at a couple of cert authorities and it looks like Sectigo (former Comodo) has a reasonable offering: https://sectigo.com/signing-certificates/code-signing
I used them already in the past for acquiring a ssl certificate once when it wasn't that easy/common to use and it worked quite ok. Did anyone have recent problems with their services?

[CarvalhoBarberino]

It happen again