Ask HN: Code Signing or No Installer?
B2B Windows desktop software sold mainly to medium to large companies, will they "install" it if there is no installer, but just a readme file that says to copy all the files to whatever location they choose? Only a single .exe plus a help file. > will they "install" it if there is no installer Probably not. SysAdmins tend to use remote installation methods like this one to push a software installation to a workstation, so the installation software needs a command line with switches interface to setup for automated silent installs. https://learn.microsoft.com/en-us/troubleshoot/windows-serve... It works well and saves a lot of time going around to individual workstations spread across multiple floors. I should have mentioned that while purchased by some big companies, there is usually just one user so would not be worthwhile to set it up for remote installation. It is a very niche, specialized program. As to Code signing, if you have a Dunn and Bradstreet number for you business, its fairly straight forward getting a coding signing cert and there's different types which you can buy for your app, but it just means you have passed an identity check, the reports I've seen of the hurdles you have to go through are reduced the more you pay, ie Digicert is purportedly less time consuming than cheaper code signing CA's. Considering things like GDPR and other data protection legislation around the world, I'm not aware how these CA's can verify identification documents because the companies or entities that make the documentation used for identification purposes cant give out your data, ergo they cant confirm or deny if the identification document is genuine or not. And even if you did codesign your app, the end user company would probably hash your app and restrict its ability to use certain things on the computer in much the same way sandboxes do for web browsers. Group Policy is one of the ways to lock an app's abilities down, but that's a job in itself if special GPO templates are not purchased to save on time. eg https://learn.microsoft.com/en-us/windows-server/identity/so... If you want the appearance of being genuine, I'd probably get a code signing cert, at the very least your users wont get the orange UAC prompt, especially if your app uses certain api's which required UAC elevation and/or also depending on your manifest file. The current release of my product is code signed, both installer and .exe inside it, but my 5 year cert expired (Comodo) and am evaluating the cost benefit of renewing, which is same as getting a new one, at least with Comodo they start you over from scratch. I am in USA and am incorporated in my state, so Comodo required a copy of my registration which has both company and my name and phone. They telephoned me with a couple basic questions. They also required I list my business a free online yellowpages business directory. That was it. Not too bad, but they stretched out their processing time line and were initially a bit misleading: at first they implied I had to go the dunn and bradstreet route, which is pricey, but when I objected they backed off. What documents were you referring to regaring identity verification? > What documents were you referring to regarding identity verification? Digicert has a different process where you get put through to someone in India if you are in the US. Drivers licences things like that, but the Indian's cant really tell if the documents supplied are genuine or not. If you go on the dark web, some marketplaces have identification documents for sale, and I was shocked to learn that the Vatican city is an excellent source for fake identification for any country!!! I use a few Windows programs that are "installed" like you say. I prefer programs that have a Windows installer though. My work laptop is managed and wouldn't let me install my own software that isn't managed by IT if they hadn't modified it to let me log as an administrator since, as a software dev, I need to do all kinds of strange things to it. So what does it take to get IT to approve software, particularly if no code signed installer? I was always a dev contractor so was never part of those decisions/policies. I have not been close to it either. At my employer we have a "software center" that people use it install supported applications. I know people who work at some big banks in NYC where all software has to be approved and they managed to get approval to use a Python library I wrote that I think they install with pip. Manufacturer-signed installer, Microsoft-signed DLLs or executables. Anything else is a virus.