Ask HN: Code Signing or No Installer?

1 points by textman 3 years ago | 9 comments

B2B Windows desktop software sold mainly to medium to large companies, will they "install" it if there is no installer, but just a readme file that says to copy all the files to whatever location they choose? Only a single .exe plus a help file.

moremetadata 3 years ago |

> will they "install" it if there is no installer

Probably not. SysAdmins tend to use remote installation methods like this one to push a software installation to a workstation, so the installation software needs a command line with switches interface to setup for automated silent installs.

https://learn.microsoft.com/en-us/troubleshoot/windows-serve...

It works well and saves a lot of time going around to individual workstations spread across multiple floors.

textman 3 years ago | |

I should have mentioned that while purchased by some big companies, there is usually just one user so would not be worthwhile to set it up for remote installation. It is a very niche, specialized program.

_2uwr 3 years ago | | |

As to Code signing, if you have a Dunn and Bradstreet number for you business, its fairly straight forward getting a coding signing cert and there's different types which you can buy for your app, but it just means you have passed an identity check, the reports I've seen of the hurdles you have to go through are reduced the more you pay, ie Digicert is purportedly less time consuming than cheaper code signing CA's.

Considering things like GDPR and other data protection legislation around the world, I'm not aware how these CA's can verify identification documents because the companies or entities that make the documentation used for identification purposes cant give out your data, ergo they cant confirm or deny if the identification document is genuine or not.

And even if you did codesign your app, the end user company would probably hash your app and restrict its ability to use certain things on the computer in much the same way sandboxes do for web browsers.

Group Policy is one of the ways to lock an app's abilities down, but that's a job in itself if special GPO templates are not purchased to save on time.

eg https://learn.microsoft.com/en-us/windows-server/identity/so...

If you want the appearance of being genuine, I'd probably get a code signing cert, at the very least your users wont get the orange UAC prompt, especially if your app uses certain api's which required UAC elevation and/or also depending on your manifest file.

PaulHoule 3 years ago |

I use a few Windows programs that are "installed" like you say. I prefer programs that have a Windows installer though.

My work laptop is managed and wouldn't let me install my own software that isn't managed by IT if they hadn't modified it to let me log as an administrator since, as a software dev, I need to do all kinds of strange things to it.

textman 3 years ago | |

So what does it take to get IT to approve software, particularly if no code signed installer? I was always a dev contractor so was never part of those decisions/policies.

PaulHoule 3 years ago | | |

I have not been close to it either. At my employer we have a "software center" that people use it install supported applications.

I know people who work at some big banks in NYC where all software has to be approved and they managed to get approval to use a Python library I wrote that I think they install with pip.

daviddever23box 3 years ago |

Manufacturer-signed installer, Microsoft-signed DLLs or executables. Anything else is a virus.