I’ve been looking for ways to do code signing on Windows, so users don’t get the Defender warnings. Unfortunately, while Apple certificates cost $99 / year which I’m willing to pay, the Windows code signing looked like it would run ~$500 / year. (Ouch.)
I found out that SignPath offers code signing to select open source projects including Vim. I’m in the process to hook this up into our GitHub builds like the Mac signing.
When I have some test builds, I’ll look for some volunteers to let me know if it’s working.
I believe that any new release / build of Avogadro triggers the Windows Defender warnings, correct?
Though I have no experience regarding code signing to pass Windows Defender warnings, this let me think about chocolately as a package manager for Windows with similar intent (one central resolver of dependencies per computer instead of x times a Python setup for program A, B, and C, etc) like e.g. apt in Debian based Linuxes. How much is it popular among those preferentially working with Windows/chemists in particular? Were it an avenue interesting for Avogadro2? I don’t know either.
The same maintainer teknowledgist for the actively maintained package about Jmol already provided one about Avogadro, though this was back in 2019.
More than happy to try installing on a uni PC. I have to badger others to put in their admin password though, so I can only test it a couple of times before I get annoying.
These days winget is a better solution when it comes to a package manager on Windows, honestly. For a start, it’s built-in to Windows 11. It can also be uploaded to without uploading to the Microsoft store. Conda would also fit this remit. But the vast majority of Windows users have zero experience with command lines and so distribution via any kind of package manager is never going to as popular as a downloaded installer.
As someone who uses Avogadro on Windows 11 and has experienced the Windows Defender warnings every time, I am more than happy to help test out anything!
So just to double-check, this applies to any build (e.g., different nightly builds) correct? I’m assuming this is true based on Mac (e.g., the binary checksums differ so it’s a new Defender warning).
I have yet to encounter a nightly build that doesn’t have a Defender pop-up. I haven’t actually ever tried the regular releases, but that’s just because they are almost immediately out of date.
I’m certainly inclined to check for winget on Windows and ask the user if they want Avogadro to install miniforge
There’s been a few people who suggested actually having Avogadro2 as a conda-forge package, which makes some sense – you’d have Python installed, etc.
But I think the vast majority of Windows users who want an installer. That’s what my campus wants, and the code signing will help confidence in the package.
Code signing to pass the gates of Windows was mentioned on the discussion board of InChI. Chem4Word reports they reach out for the .NET foundation – perhaps this were an avenue to consider for Avogadro2.