Consider allowing self-signed certificates in App Installer #332
Comments
|
I have since found a commercial CA that both (a) charges reasonable prices for their certificates, and (b) issues code signing certs to individuals like me. (For the benefit of those who find this issue in the future, the CA I am referring to is SSL.com.) Since this issue is no longer relevant to me (and very unlikely to be acted upon in the first place, I'm going to close it now. Thanks! |
|
For the benefit of anyone who stumbles on this closed issue, I just want to chime in that what I do is use a self-signed certificate and provide the public .crt alongside my downloads and users just have to add it if they trust me as source and are able to install my appx/msix packages without issue afterwards. Sure, it's slightly more effort for an end-user than it just working out of the box or automatically asking to add the certificate, but it's not terribly difficult and only needs to be done once (at least until the cert expires). |
|
It's ridicules, You can run any win32 apps with full privilege, even if they're not signed, but you can't run secure MSIX apps in a container without a trusted certificate. |
|
No response? Is this the slow control creep we have been expecting? Keeping users safe by taking away their choice slow enough to stay off the radar... |
|
@xmine64 I agree. What's the point of choosing msix in development if there are so many restrictions? |
|
@wjk, this is unacceptable. I've requested that dozens of projects use MSIX. Solely a few have managed it due to merely this requirement. I've been unable to package my own for the same reason - I don't have enough money to pay for a trusted certificate, and my packages are not designed for the kind of user who cannot validate a certificate anyway. Indeed, I can provide Since my projects are cross-platform, I now recommend that users just install a Linux-based OS and use Flatpak there, which is absurd. MSIX is the best packaging format I've seen thus far. Allow it to be utilized. |
One of the biggest pain points for me with MSIX currently is how the App Installer requires that MSIX packages be signed with a commercially obtained code-signing certificate. In my opinion, this completely precludes small development shops like mine from providing MSIX packages directly to users due to the extremely high cost of the required cert. (Furthermore, I understand that it is CA policy to only issue code-signing certs to legal entities, and never to individuals. This adds even more expense and complexity, as I do not want to incorporate or form an LLC due to the complicated tax situation doing so would subject me to.) I am therefore forced to wrap the MSIX in an EXE-based installer that adds the self-signed certificate I use to the Trusted People store, then calls the deployment APIs to perform the actual installation. This is rather inconvenient, and it also means I can't use the App Installer's auto-update check feature.
In all honesty, the fact that a certificate is issues by a commercial CA provides no extra value to the question of if the package is trustable. The purpose of code signing on Windows is to validate that the binaries I have are the same binaries that the developer released, and that they haven't been tampered with since. To confirm this, I can compare the the thumbprint of the certificate to what the publisher specifies. If they are the same, then I can be as certain as I can be that the binaries were signed by who I think they were. This process works just as well for self-signed certs as for commercial certs. (Not to mention, there have been many incidents wherein commercial CAs have issued certs that were then used fraudulently or used to sign malware, rendering the validation process of getting a cert worthless IMO.)
I remember seeing a Windows 2000-era screenshot of the ActiveX control installer that included verbiage like "[publisher name] represents that this content is safe. Only install if you trust [publisher name] to make this assertion," along with a button to view the certificate details. This is how code signing should work, and is in fact how it does work on Linux. Would it be possible to update the App Installer to show a similar dialog if a self-signed certificate is detected, and auto-install the certificate if the user consents? (If the cert used is commercially signed, no warning need appear and the behavior doesn't need to change.) This is especially important on Windows 10X, where MSIX packages are the preferred method of deploying applications. Thanks!
The text was updated successfully, but these errors were encountered: