Consider SignPath for Windows code signing

[curiousdannii]

With the recent difficulties downloading I6 on Windows 11, I've been looking into code signing options. @dfabulich pointed me to https://signpath.org who provide free OV certificates for open source projects. The highest profile package I could see being signed by them is Vim, who have been using it for at least 6? years. Also Stellarium, VSCodium.

Using it would involve compiling and code signing in Github Actions, which is probably not too complex.

Their terms are at https://signpath.org/terms Things I noticed include:

• The binaries have to be build in CI, to ensure they're verifiable
• They require team members to use multi-factor authentication. Though if all commits to master were done through pull requests then you might already be doing it? (PR merges do say verified).
• You'd need to specify who the team members are.
• Compiling would need metadata

[dfabulich]

For context, users on the intfiction.org forum reported that Windows 11 SmartScreen is confident that Inform 6 is a virus.

Windows 11 is so confident that Inform 6 is a virus that rather than open an Inform6 exe that fos1 compiled himself, Windows automatically deleted the file instead.

https://intfiction.org/t/inform-6-43-win-11-download-virus-detected/76107

Historically, my point of view on Windows code signing was, "alas, Windows sucks for FOSS; it's just not worth paying $X00/year to a protection mafia for a code signing certificate."

But considering that Win11 is simply deleting the file rather than allowing users to open it, and considering that SignPath is available at no charge… I think this is now worth looking into in 2025.

[heasm66]

I followed a similiar discussion on Notepad++. They seem to choose another path with issuing their own root certificates. The downside is that the user need to install and trust this certificate. It's not automatic, as it is from trusted vendors, but one have full control.

Maybe something to consider...

https://npp-user-manual.org/docs/getting-started/#notepad-self-signed-certificate-authority-for-binaries

[DavidKinder]

Using SignPath is an interesting idea, and worth considering. I don't think Notepad++'s solution, of having their own root certificate, is feasible for Inform6: Notepad++ is very much a developer / power user tool, and it's audience is much more likely to be comfortable with installing a certificate than the average Inform 6 user.

Step 1 is to get a CI build of Inform 6 going with Github Actions. I've created a repository "Inform6Test" to experiment with this (no link as I'll delete the repository once I've got something working) that is currently using MSYS2 to set up GCC on Windows and build an executable. More work is needed before I copy it across to this repository though.

[DavidKinder]

Progress on step 1: there is now a GitHub action that generates a Windows build of Inform 6, using MSBuild.