Hi Enrico, I understand that the installer contains more binaries which are not signed by you, but I think that a GPG-signed .exe would be more trustable than a md5-certificated .exe. I think it would be an improvement simple to add.
Best regards, Daniel
----- Original Message ----- Hi <whoever you are>,
On 12/16/18 10:29 PM, dany111@email.it wrote:
Given that you already sign the source packages, could you sign the Windows Installer too?
I could. The installer as well as all binaries created from the Geany sources itself (that is geany.exe, libgeany.dll and the plugin DLLs) are signed with a SSL certificate from cacert.org. You can check these signatures on Windows in the file properties dialog on the "Digital Signatures" tab.
Usually you get a verification failure because Windows doesn't know the CA the certificate is signed with (cacert.org). But this is a problem of Windows, not of Geany. You can download the root certificate of the cacert.org CA on http://www.cacert.org/index.php?id=3.
The installer contains more binaries which are not signed by us as they are not created by us but taken from the MSYS2 project. Detailed information about the included runtime libraries are where they were downloaded from can be found in the installation directory in the file called "ReadMe.Dependencies.Geany.txt".
Regards, Enrico