K6: Sign release binaries and installers for Windows

Worth investigating if chocolatey, being a package manager, would actually benefit from this whole binary code-signing business

It wouldn't at this moment AFAIK. Furthermore, Chocolatey Gallery has integration with Virus Total so packages are as safe as it can get because they are not going to be approved if there are more then couple of false positives on entirety of 70+ antivirus engines.

In the case of latest version there is one false positive result:

Previous version has 2 results.

This is the list of AV's used, there is no Windows Defender tho.

After a couple of days of diving into the Windows certificate world :sweat_smile:, I finally managed to produce a signed binary and installer. :tada:

You can see the CI changes and download the signed MSI from here.

I opted to not use any third-party GH Actions for this because of security reasons:

• this one uses MS' signtool.exe but doesn't allow specifying a password, presumably because it expects a blank one... plus it's written in JS...
• And the other uses osslsigncode, which has a noble goal of open sourcing this functionality and allowing it to be cross-platform, but we should probably use the suggested MS tool for this to avoid any potential issues, and the windows-latest GHA image already comes bundled with signtool.exe, so we don't need the cross-platform support.

Anyway, here's how it looks like in Windows:

However, having a signed installer doesn't get rid of the "Windows protected your PC" warning dialog... :sob:

Now it shows the same screen just with the correct publisher information, whereas before it showed "Unknown publisher":

This SO answer and this linked one suggest that in order to remove this warning a publisher can either "gain" trust with SmartScreen over time, presumably by a lot of users choosing to ignore and run this signed installer anyway, but I don't see any guarantees of when or if that will eventually happen... Or, we can outright "buy trust" with an EV certificate, which the current one that Robin provided is not. These are usually much more expensive than regular certs and it's a plain scam if you ask me, but perhaps it might be worth it as a shortcut to get rid of this warning.

@robingustafsson @na-- @MStoykov What do you think?

Here's an idea of the time and number of installs it takes for SmartScreen to gain trust in a publisher without an EV cert:

For me, it took 16 days and some 500 to 2000 installs before SmartScreen trusted my brand-new certificate.

And the other answer for that question mentions that even an EV cert is not guaranteed to get rid of this warning, but it probably speeds things up.

Given this, I'm inclined to suggest that we start using this non-EV cert from v0.30.0 and just wait for MS to trust it. I reckon we can hit ~2K installs in a couple of weeks.

Hmm not sure if we should buy into the MS EV certificate racket. Even this basic signing gets rid of the other "unknown publisher" warning, and puts Load Impact AB in the blue dialog in the last screenshot, so it's definitely better than nothing and may be good enough for now...

Regarding signtool.exe - I think you made the right decision. osslsigncode seems interesting and I'm glad it exists, but since we're already running on a windows VM for other reasons, we have no need to use it.