I’ve been using @sudara’s excellent pamplejuce github actions [1] to get builds done of our plugins, and have followed the guide for code signing Windows installers with an EV cert on Github Actions - I thought I followed it ‘to a tee’, with all the appropriate secrets and certs and whatnot in place - but the resulting .exe is being reported by Windows as being from an “Unknown Publisher” … grr …
Before I dive into this world and attempt to debug whats going on, I thought I’d ask for any advice/tips from others who have taken this path, in case there are some known gotcha’s that maybe didn’t quite yet make it into the docs … anyone got advice/tips?
One thing that might be working against me is that the DigiCert validation of our domains (prove we own them) didn’t happen until long after I’d finished setting up the certs and CSR, etc. - so maybe this means I should re-do the process now that DigiCert have validated our domains? I’m not sure if this is necessary, so I thought I’d ask in case others know the details.
Either way I’ll document my findings and of course share details as I debug things …
Hey Jay, sorry you didn’t get success right out of the gate!
Is the exe actually getting signed? You can check it by opening properties.
Does Windows defender smart screen pop up in blue and prevent the exe from being run? Or is the issue just that “Unknown Publisher” shows up somewhere?
Was DigiCert your vendor for the EV cert? I’m not familiar with the domain validation thing, is that for another product?
All this windows signing stuff will get 10x easier when Azure Code Signing launches (should be early next year, I’m currently in the private preview)
Thanks for the followup - and no worries, I truly enjoy applying your findings to our project, it has been a fun journey so far, following your carefully taped path.
Is the exe actually getting signed?
Doesn’t look like it. I’m yet to figure out why, however.
Does Windows defender smart screen pop up in blue and prevent the exe from being run? Or is the issue just that “Unknown Publisher” shows up somewhere?
The latter case - “Unknown Publisher” shows up in the installer. Also, not quite sure whats going on here - the biggest black hole in this setup is the AWS bins, where things are stored - perhaps I’ve got something askew in there. I’m planning on doing a full review of this build rig this week, so I’ll go through with a careful eye. Perhaps I’ve got a typo or a mis-matched name somewhere, or I’ve got a string that needs its spaces escaped, or … something. Dunno yet, will debug and follow up with findings for future reference.
