Windows authenticode/publisher/signing


#1

I’ve built a Windows executable using cargo build --release. It runs fine via cargo run. However, after I copy it to another machine (zip/download) Windows refuses to run it:

Windows protected your PC

Windows Defender SmartScreen yada yada
Publisher: Unknown publisher

[ Don’t run ]

And even when I dig out the [ Run anyway ] button, the executable can’t write any files to disk.

What do I need to do to make other people’s Windows trust it? Can Cargo do it for me?


#2

Cargo definitely cannot magically make your binaries signed. Maybe one day in the distant cargo will provide a way to automatically sign a binary with the key you provide, but you can already sign a binary yourself after cargo built it. Besides, the actual hard part is generating a keypair for binary signing and getting your certificate signed by a certificate authority so that other computers can actually trust binaries signed by you.


#3

The signing process is often a separate step.

The rationale is that if one assumes that a build agent can execute any arbitrary code downloaded from the internet (as part of running tests or installing packages), then it would be safe to assume that such arbitrary code can access anything the build agent can access, including the private keys of code signing certificates. If an attacker is able to obtain those keys, they are able to compromise them and resign then and no one will know it was not produced through an authorized system.

So to counter this, binaries are transferred to a separate “clean” machine that doesn’t execute any code and for which the OS hardened to some extent, to sign the binaries. The signed binaries are then packaged and made available for download (or deployment).

Cargo could call signtool if and when it runs on Windows, codesign on macOS, OpenPGP for Linux and simplify the process, but these commands are very different, and have their own requirements. I’m not sure if Cargo will just get in the way trying to make this easy.