I just got a shiny new code signing certificate and integrated it into my build.
For my installer I use a WIX 5 bundle (via the heatwave extension). I sign the bundle using the instructions on the WIX site https://wixtoolset.org/docs/tools/signing/ . I use the MSBuild procedure with the two steps which sign the engine and bundle.
Seems to work fine, when installing (after clicking the Burn Install button) the Windows UAC prompts me and shows our Publisher name.
However... if I download the installer via a browser, then the "MS Defender SmartScreen" prompts me that I may be at risk and shows "Unknown Publisher". I then need to click "Run Anyway" to continue.
Looking at the bundle exe I see that in fact there is NOT a Digital Signature showing in the Windows Properties. I tested this and downloaded a signed exe, I was NOT prompted by the SmartScreen.
So, should the WIX bundle show with a signature? Is this the actual WIX engine that should be signed?
I tried signing the bundle myself, but that basically destroys it.
I tried signing the bundle using the command line method, which first detaches the engine from the bundle, then I sign the engine manually and finally reattach it. I get the same results, the bundle with the reattached and signed engine still shows in Windows as without a signature.
Is this just something we need to live with? I feel I'm getting more ripped off than usual with my certificate$.
-- fixed --
Well after Rob verified that the bundle must be signed after the build I looked closer at my project file and fixed the bad path;
from this:
<Target Name="SignBundleEngine">
<Message Importance="high" Text="SignBundleEngine: @(SignBundleEngine)" />
<Exec Command='sign.cmd "%(SignBundleEngine.FullPath)"' />
</Target>
<Target Name="SignBundle">
<Message Importance="high" Text="SignBundle: @(SignBundle)" />
<Exec Command='sign.cmd "%(SignBundleEngine.FullPath)"' />
</Target>
to this:
<Target Name="SignBundleEngine">
<Message Importance="high" Text="SignBundleEngine: @(SignBundleEngine)" />
<Exec Command='sign.cmd "%(SignBundleEngine.FullPath)"' />
</Target>
<Target Name="SignBundle">
<Message Importance="high" Text="SignBundle: @(SignBundle)" />
<Exec Command='sign.cmd "%(SignBundle.FullPath)"' />
</Target>
Yes I used the wrong path for the SignBundle target so the engine was signed but not the bundle. Just like everything indicated.
After building you bundle with signing enabled, right-click the .exe and select Properties. In the Digital Signature tab make sure it shows your file is signed. If you don't see that it is signed, then you have a bug in your build process. If that looks good, download the .exe through your process and see if it is still signed. If not, something is stripping the digital signature after the build process.
If the file is actually signed, then know that sometimes SmartScreen takes a while to warm up to executables. Signing helps speed up the process but brand new executables need many successful downloads before being taken off the watch list.
But if you're not signed... you need to fix that first.