www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Signed DMD binaries

reply Seb <seb wilzba.ch> writes:
As a few of you might have noticed, we bought a Code Signing 
Certificate a few days ago and while we're still investigating on 
how to integrate the code signing best into the release process, 
I thought a share a first preview of signed DMD binaries with you.

So I semi-officially repacked 2.081.2 and signed the released 
binaries and libraries:

http://files.wilzba.ch/dlang/releases

 sha256sum dmd.2.081.2.windows.7z
598a477e3692fb43c2bf010d62620506e0d0169e5dbaaa909ab9fca84204f751 dmd.2.081.2.windows.7z In the future, the official releases will come with signed binaries, but as there are a few people running into troubles with their company software policy or virus scanner, I thought I share this semi-official release with you. Feedback is welcome ;-)
Aug 13 2018
next sibling parent reply Jacob Carlborg <doob me.com> writes:
On 2018-08-13 20:48, Seb wrote:
 As a few of you might have noticed, we bought a Code Signing Certificate 
 a few days ago and while we're still investigating on how to integrate 
 the code signing best into the release process, I thought a share a 
 first preview of signed DMD binaries with you.
 
 So I semi-officially repacked 2.081.2 and signed the released binaries 
 and libraries:
 
 http://files.wilzba.ch/dlang/releases
 
 sha256sum dmd.2.081.2.windows.7z
598a477e3692fb43c2bf010d62620506e0d0169e5dbaaa909ab9fca84204f751 dmd.2.081.2.windows.7z In the future, the official releases will come with signed binaries, but as there are a few people running into troubles with their company software policy or virus scanner, I thought I share this semi-official release with you. Feedback is welcome ;-)
Any plans for doing the same thing for the installer on macOS? It complains that it's from an unidentified developer and forces the user to go into System Preferences and reopen the installer. -- /Jacob Carlborg
Aug 13 2018
next sibling parent reply Timoses <timosesu gmail.com> writes:
On Monday, 13 August 2018 at 19:09:55 UTC, Jacob Carlborg wrote:
 Any plans for doing the same thing for the installer on macOS? 
 It complains that it's from an unidentified developer and 
 forces the user to go into System Preferences and reopen the 
 installer.
Can't you just usually right-click the file and select "Open" which enables something like the "Open anyway" option to be displayed (usually not visible when just double clicking the file...)?
Aug 14 2018
parent rikki cattermole <rikki cattermole.co.nz> writes:
On 15/08/2018 2:14 AM, Timoses wrote:
 On Monday, 13 August 2018 at 19:09:55 UTC, Jacob Carlborg wrote:
 Any plans for doing the same thing for the installer on macOS? It 
 complains that it's from an unidentified developer and forces the user 
 to go into System Preferences and reopen the installer.
Can't you just usually right-click the file and select "Open" which enables something like the "Open anyway" option to be displayed (usually not visible when just double clicking the file...)?
Only after you have disabled said check.
Aug 14 2018
prev sibling parent reply Seb <seb wilzba.ch> writes:
On Monday, 13 August 2018 at 19:09:55 UTC, Jacob Carlborg wrote:
 Any plans for doing the same thing for the installer on macOS? 
 It complains that it's from an unidentified developer and 
 forces the user to go into System Preferences and reopen the 
 installer.
Yes, the certificate allows signing binaries for OSX too. However, as we still haven't fully figured out how to integrate the binary signing for Windows in the release process (and this can be done on Linux) and OSX binary signing can only be done on OSX AFAICT, this might take a bit until it gets integrated. Also I think Martin is the only one who currently has the VirtualBox image for OSX setup which is required by the create_dmd_release build tool. In case someone wants to have a look, the relevant steps happen/should happen here: https://github.com/dlang/installer/blob/master/create_dmd_release/build_all.d#L329
Aug 14 2018
parent reply Jacob Carlborg <doob me.com> writes:
On Tuesday, 14 August 2018 at 14:42:54 UTC, Seb wrote:
 On Monday, 13 August 2018 at 19:09:55 UTC, Jacob Carlborg wrote:
 Any plans for doing the same thing for the installer on macOS? 
 It complains that it's from an unidentified developer and 
 forces the user to go into System Preferences and reopen the 
 installer.
Yes, the certificate allows signing binaries for OSX too.
On macOS the certificate needs to be obtained from Apple through the developer program [1]. [1] https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW30 — /Jacob Carlborg
Aug 14 2018
parent reply Radu <void null.pt> writes:
On Tuesday, 14 August 2018 at 16:10:41 UTC, Jacob Carlborg wrote:
 On Tuesday, 14 August 2018 at 14:42:54 UTC, Seb wrote:
 On Monday, 13 August 2018 at 19:09:55 UTC, Jacob Carlborg 
 wrote:
 Any plans for doing the same thing for the installer on 
 macOS? It complains that it's from an unidentified developer 
 and forces the user to go into System Preferences and reopen 
 the installer.
Yes, the certificate allows signing binaries for OSX too.
On macOS the certificate needs to be obtained from Apple through the developer program [1]. [1] https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW30 — /Jacob Carlborg
The say this: ``` Note: Apple uses the industry-standard form and format of code signing certificates. Therefore, if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the macOS codesign command. Similarly, if your company is a certificate issuing authority, contact your IT department to find out how to get a signing certificate issued by your company. However, while these valid certificates allow you to sign your code, you can only distribute through the App Store or through the Developer ID program when you sign with a certificate issued by Apple. ```
Aug 15 2018
parent Jacob Carlborg <doob me.com> writes:
On Wednesday, 15 August 2018 at 09:39:42 UTC, Radu wrote:

 The say this:
 ```
 Note: Apple uses the industry-standard form and format of code 
 signing certificates. Therefore, if your company already has a 
 third-party signing identity that you use to sign code on other 
 systems, you can use it with the macOS codesign command. 
 Similarly, if your company is a certificate issuing authority, 
 contact your IT department to find out how to get a signing 
 certificate issued by your company. However, while these valid 
 certificates allow you to sign your code, you can only 
 distribute through the App Store or through the Developer ID 
 program when you sign with a certificate issued by Apple.
 ```
Cool, I didn't know that. /Jacob Carlborg
Aug 16 2018
prev sibling next sibling parent Walter Bright <newshound2 digitalmars.com> writes:
On 8/13/2018 11:48 AM, Seb wrote:
 Feedback is welcome ;-)
Thank you!
Aug 13 2018
prev sibling next sibling parent reply Mike Franklin <slavo5150 yahoo.com> writes:
On Monday, 13 August 2018 at 18:48:21 UTC, Seb wrote:

 Feedback is welcome ;-)
Thanks a lot for doing this. Honestly, I think this small change, if we can keep it maintained, will make a significant impact in users' perception of D. I don't think the issue is actually with the DMD executables, but with the DMD installer package. I'm speaking somewhat in ignorance here, but I think what's most important is to sign the installer package. I asked about what installer packaging software we are using (InstallShield, InnoSetup, etc...) at https://issues.dlang.org/show_bug.cgi?id=18786, but didn't get a response. When you try to run the installer on a recent Windows machine, you see this (https://cdn1.tekrevue.com/wp-content/uploads/2017/09/windows-pro ected-your-pc.jpg). That is what's scaring people. User's have to click the "More info" link, and then a "Run anyway" button appears (https://www.autoitscript.com/site/wp-content/uploads/2018/01/SmartScreen_Windows_Protected_Your_PC_Run_Anyway.png) So, I think the solution is to sign the installer package. I've never done that before, but a quick search on the Internet yielded: http://www.samlogic.net/visual-installer/tips/tips-pages/code-sign-setup-package/code-sign-setup-package.htm https://learn.adafruit.com/how-to-sign-windows-drivers-installer/making-an-installer#sign-the-installer-5-28 I don't think that will solve the virus problem, but it should at least remove the scary *Windows is protecting you* popup message. For the virus problem, it would be helpful to know what software we are using to create the installer package. Is it legit? Mike
Aug 13 2018
next sibling parent rikki cattermole <rikki cattermole.co.nz> writes:
On 14/08/2018 12:58 PM, Mike Franklin wrote:
 I don't think the issue is actually with the DMD executables, but with 
 the DMD installer package.  I'm speaking somewhat in ignorance here, but 
 I think what's most important is to sign the installer package.  I asked 
 about what installer packaging software we are using (InstallShield, 
 InnoSetup, etc...) at https://issues.dlang.org/show_bug.cgi?id=18786, 
 but didn't get a response.
https://github.com/dlang/installer/tree/master/windows NSIS so yes fairly standard. And no, there are popups that can happen because it isn't signed/trusted. So we should sign everything that we can.
Aug 13 2018
prev sibling parent reply Manu <turkeyman gmail.com> writes:
On Mon, 13 Aug 2018 at 18:00, Mike Franklin via Digitalmars-d
<digitalmars-d puremagic.com> wrote:
 On Monday, 13 August 2018 at 18:48:21 UTC, Seb wrote:

 Feedback is welcome ;-)
Thanks a lot for doing this. Honestly, I think this small change, if we can keep it maintained, will make a significant impact in users' perception of D. I don't think the issue is actually with the DMD executables, but with the DMD installer package. I'm speaking somewhat in ignorance here, but I think what's most important is to sign the installer package. I asked about what installer packaging software we are using (InstallShield, InnoSetup, etc...) at https://issues.dlang.org/show_bug.cgi?id=18786, but didn't get a response. When you try to run the installer on a recent Windows machine, you see this (https://cdn1.tekrevue.com/wp-content/uploads/2017/09/windows-pro ected-your-pc.jpg). That is what's scaring people. User's have to click the "More info" link, and then a "Run anyway" button appears (https://www.autoitscript.com/site/wp-content/uploads/2018/01/SmartScreen_Windows_Protected_Your_PC_Run_Anyway.png) So, I think the solution is to sign the installer package. I've never done that before, but a quick search on the Internet yielded: http://www.samlogic.net/visual-installer/tips/tips-pages/code-sign-setup-package/code-sign-setup-package.htm https://learn.adafruit.com/how-to-sign-windows-drivers-installer/making-an-installer#sign-the-installer-5-28 I don't think that will solve the virus problem, but it should at least remove the scary *Windows is protecting you* popup message. For the virus problem, it would be helpful to know what software we are using to create the installer package. Is it legit? Mike
Indeed, it's the installer that's in critical need of being signed... but all the binaries are worth signing if that's convenient.
Aug 15 2018
parent reply Andrei Alexandrescu <SeeWebsiteForEmail erdani.com> writes:
On 8/15/18 7:44 PM, Manu wrote:
 Indeed, it's the installer that's in critical need of being signed...
 but all the binaries are worth signing if that's convenient.

Any chance we could delegate some of the effort of working on this to you? Are other Windows users interested in helping? Martin has spent a fair amount of time dealing with this, and he's not a Windows expert. We could definitely use some help here.
Aug 16 2018
parent reply Martin Nowak <code+news.digitalmars dawg.eu> writes:
On 08/16/2018 04:13 PM, Andrei Alexandrescu wrote:
 On 8/15/18 7:44 PM, Manu wrote:
 Indeed, it's the installer that's in critical need of being signed...
 but all the binaries are worth signing if that's convenient.

Any chance we could delegate some of the effort of working on this to you? Are other Windows users interested in helping? Martin has spent a fair amount of time dealing with this, and he's not a Windows expert. We could definitely use some help here.
A review would be helpful. https://github.com/dlang/installer/pull/339 And more Windows dev-volunteers for upcoming features.
Aug 16 2018
parent reply Mike Franklin <slavo5150 yahoo.com> writes:
On Thursday, 16 August 2018 at 17:06:27 UTC, Martin Nowak wrote:

 A review would be helpful.
It looks fine to me, though, that's not saying much. If you need someone to test something, contact me on Slack.
 And more Windows dev-volunteers for upcoming features.
To do what exactly? Mike
Aug 16 2018
parent reply Martin Nowak <code+news.digitalmars dawg.eu> writes:
On 08/17/2018 01:24 AM, Mike Franklin wrote:
 On Thursday, 16 August 2018 at 17:06:27 UTC, Martin Nowak wrote:
 
 A review would be helpful.
It looks fine to me, though, that's not saying much.  If you need someone to test something, contact me on Slack.
 And more Windows dev-volunteers for upcoming features.
To do what exactly?
Well from my point of view the most important outstanding Windows tasks are: - help to test, debug, and fix the experimental lld/mingw toolchain (https://dlang.org/changelog/2.079.0.html#lld_mingw) Once this is ready for production use it would simplify the Windows installation and allowed us to drop optlink and OMF. - help Benjamin Thaut with the export feature This is intended to cover dllimport/dllexport, but in a single keyword without macros (more info https://dconf.org/2016/talks/thaut.html). It's a necessity for full DLL support on Windows and we also want to use explicitly exported symbols to speed up Posix binaries (by avoiding PLT indirections). - get a 64-bit VC dmd.exe into the release 64-bit builds should be fully CI-integrated (mostly already done via AppVeyor AFAIK). Integrate build script/makefile with existing Windows release build (https://github.com/dlang/installer/blob/f7ee5aeab79a800317d875b5ee2e34ec2ad8803c/create_dmd_release/build_all.d#L41-L43, and https://github.com/dlang/installer/blob/f7ee5aeab79a800317d875b5ee2e34ec2ad8803c/create_dmd_release/create_dmd_release.d#L444). I'd be happy to add anyone remotely interested in Windows-support to our #Windows channel on slack (https://dlang.slack.com/messages/C6D5FEJ78). It's unfortunately fairly quiet atm. -Martin
Aug 17 2018
next sibling parent Mike Franklin <slavo5150 yahoo.com> writes:
On Friday, 17 August 2018 at 16:42:08 UTC, Martin Nowak wrote:
 On 08/17/2018 01:24 AM, Mike Franklin wrote:
 Well from my point of view the most important outstanding 
 Windows tasks are:
[...] Thanks. I'm currently working on getting build.d to work on Windows. https://github.com/dlang/dmd/pull/8570 https://github.com/dlang/dmd/pull/8568 https://github.com/dlang/dmd/pull/8566 https://github.com/dlang/dmd/pull/8546 I think once that's done it won't be such a huge burden to set up a development environment for Windows, and hopefully we'll see more participation.
 I'd be happy to add anyone remotely interested in 
 Windows-support to our #Windows channel on slack 
 (https://dlang.slack.com/messages/C6D5FEJ78). It's 
 unfortunately fairly quiet atm.
Joined. Mike
Aug 17 2018
prev sibling next sibling parent Mike Franklin <slavo5150 yahoo.com> writes:
On Friday, 17 August 2018 at 16:42:08 UTC, Martin Nowak wrote:

 - help to test, debug, and fix the experimental lld/mingw 
 toolchain
   (https://dlang.org/changelog/2.079.0.html#lld_mingw)
I'd be happy to test this, but where are the instructions for using it? Do I need to uninstall Visual Studio first (please no)? Mike
Aug 17 2018
prev sibling parent reply Manu <turkeyman gmail.com> writes:
On Fri, 17 Aug 2018 at 09:45, Martin Nowak via Digitalmars-d
<digitalmars-d puremagic.com> wrote:
 Well from my point of view the most important outstanding Windows tasks are:

 - help to test, debug, and fix the experimental lld/mingw toolchain
   (https://dlang.org/changelog/2.079.0.html#lld_mingw)

   Once this is ready for production use it would simplify the Windows
 installation and allowed us to drop optlink and OMF.
Is there any reason to believe Walter would accept that? It's come up countless times. He rejects it in principle. https://github.com/dlang/dmd/pull/8347 He genuinely believes OMF+OPTLINK should be the deliberate and preferred default that everyone should be confronted with as their first experience. It clearly improves new users experience with D. Has something changed?
Aug 18 2018
parent rikki cattermole <rikki cattermole.co.nz> writes:
On 19/08/2018 7:16 AM, Manu wrote:
 He genuinely believes OMF+OPTLINK should be the deliberate and
 preferred default that everyone should be confronted with as their
 first experience. It clearly improves new users experience with D.
 Has something changed?
Yes. We're adding support (experimental) for LLD (LLVM linker) with MinGW import libraries and VC2010 as of 2.079. Which gives out of the box support for PE-COFF. Long term this should mean we can drop OMF altogether. But like 64bit support took, it'll be a while before its ready to go primary.
Aug 18 2018
prev sibling next sibling parent Rel <relmail rambler.ru> writes:
 Feedback is welcome ;-)
The latest DMD installer seems not to be flaged by Kaspersky Antivirus, thanks!
Aug 14 2018
prev sibling parent Radu <void null.pt> writes:
On Monday, 13 August 2018 at 18:48:21 UTC, Seb wrote:
 As a few of you might have noticed, we bought a Code Signing 
 Certificate a few days ago and while we're still investigating 
 on how to integrate the code signing best into the release 
 process, I thought a share a first preview of signed DMD 
 binaries with you.

 So I semi-officially repacked 2.081.2 and signed the released 
 binaries and libraries:

 http://files.wilzba.ch/dlang/releases

 sha256sum dmd.2.081.2.windows.7z
598a477e3692fb43c2bf010d62620506e0d0169e5dbaaa909ab9fca84204f751 dmd.2.081.2.windows.7z In the future, the official releases will come with signed binaries, but as there are a few people running into troubles with their company software policy or virus scanner, I thought I share this semi-official release with you. Feedback is welcome ;-)
:) Thanks!
Aug 15 2018