I also use Sectigo from Ksign and got the pfx cert. It was for a brand new company name so it took a couple of days to get verified but worth the wait.
I use MSIX packaging tool from Microsoft. It builds a package from your setup file that can be installed from your own website link and it works a lot like your own app store. Once the app is downloaded and installed, If you upload an update to your website then all users of the app will be notified of the update and asked if they want to install it. If they click the update button then the update installs automatically. Also it only updates the part of your app that has changed so the update is very fast.
This works great for a company that wants to build an internal app and distribute it to all if its remote employees and also keep it up to date with very little instructions. Just open the app and click the update button if it offers an update.
It might be worth mentioning that EV certificates require some sort of extra verification during signing. At one point we had to mail a USB stick to the issuer so they could put the certificate on it and mail it back. We were told it would not work if moved from the drive, but I have no idea how that could be true. For another issuer, we have to use a Yubikey to generate OTP codes for each file signed, or use their online verification for $10 per file signed. Both options seriously hurt build automation.
Last time I “renewed” with Sectigo, they told me they don’t use D&B anymore. I forget who, but they let some other company hold your business hostage now.
SmartScreen score appears to stay with the certificate. At least, the only time SmartScreen ever interrupts is for a few days after “renewal” for me. Combined with arduous validation, buying the longest certificate you can afford is strongly recommended.
maybe I should start a new thread (if so will delete this) but wanted to know what I should sign when using InnoSetup to create an installer.
Do I have to sign the folder generated by Xojo or the file generated by InnoSetup or both?
I’ve elaborated in the section about EV certificates. I think it’s weird that you had to mail them a USB stick. I do think I read somewhere that EV certificates use the smart-card APIs for some kind of temporary voodoo? Could that be how they prevent the certificate from being moved from the drive?
I’ve also added your note about D&B but I cannot confirm it because that was the exact problem a client just had with Sectigo -_-
I wonder what some of the secrets behind SmartScreen score are. My personal certificates have never gotten enough score, but you can get yours in just a few days. Is there a place I can request Microsoft step in?
If you download your installer with Edge (yuck), when you click on the three dots next to it in the downloads menu (or right click it) you can “Report File as Safe.” I did that for mine (signed with a personal certificate), filled out the form explaining who I was and what the software is, and my installer no longer complains on a fresh VM. You might try that.
I’ll suggest there is a significant opportunity here for someone to:
a) sort out the whole mess into a unified process to prepare apps ready for the MacOS, iOS and Windows Appstore’s, and
b) document it.
Building an app that runs is only the start. The rest of the challenge to actually get a Xojo app “out there” where users can get it via the stores is undocumented. As for expecting average users to tinker with system settings and Terminal commands… they won’t.
I snipped your quote because there is no unified process. Someone could make an app for that, but @Sam_Rowlands already goes most of the distance on macOS. The process changes so frequently, I personally think App Wrapper is a charity to us. I feel that anyone who distributes commercially for Mac should buy App Wrapper (within reason).
The rest of it, preparing apps for the app stores, well that’s uh part of my livelihood / business model. Researching these things takes a lot longer than most Xojo users are aware. Excuse me for not documenting it publicly