Topics
Members
Website
Knowledge Base
New Topic
Archived

Signed Offline exe

@barneykay

June 29, 2015 12:00 AM

Thanks for getting the offline exe back in version 12 its really useful, however when some of my users, open the file they get a windows security message something like:

undefined

Discussion (4)

@ssneg June 29, 2015 12:00 AM

Signing an EXE with your own key literally takes less than a minute (http://windowsitpro.com/security/q-whats-easiest-way-digitally-sign-internally-developed-applications-executable). In doing so, you will guarantee to your users that the EXE file came from you.

undefined

@ssneg June 29, 2015 12:00 AM

Also, simply signing a file wouldn't be enough. As per Microsoft:

Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation. Reputation is generated and assigned to digital certificates as well as specific files.

Source: http://blogs.msdn.com/b/ie/archive/2010/10/13/stranger-danger-introducing-smartscreen-application-reputation.aspx

So even if your EXE files are signed by Trivantis, NSA and President of the US all at once, they would need to build up a reputation as "safe" and be downloaded millions of times before that message goes away. Do your courses get downloaded millions of times?

@barneykay Author June 29, 2015 12:00 AM

Sergey, thanks for the response. Not sure any of that is relevant, I'm not going to sign the exe as me. It needs to be signed as a lectora/trivantis exe so that windows doesn't see it as a security risk. When you install or run software this message doesn't appear every time. Files from established companies have certificates to prove their authenticity, so you wouldn't get this warning (might get other warnings but then its a windows issue)undefined

@ssneg June 29, 2015 12:00 AM

The problem is, Trivantis will NOT sign any EXE files that are published by Lectora with their certificate. In order to be able to do so, they'd need to include their secret key with every copy of Lectora. Which violates the whole idea of it being a secret key. It'd be very easy to hack Lectora and then sign ANY EXE file with it. I don't think Trivantis would want malicious EXE files signed by Lectora floating around the internet.

The only EXE file that they could digitally sign in advance would be the standalone EXE player file, which is included with the offline publish when you choose to store all the HTML files externally. But I don't think this is what you asked for.

undefined

Discussions have been disabled for this post

Join The Discussion

Signup or login to get started!