Code-signing the desktop client

What it gets you

Without code-signing, Windows shows a SmartScreen warning the first time someone runs otiumwork-client.exe ("Windows protected your PC — More info → Run anyway"). It works, but it scares some users, and IT teams sometimes block the executable from running at all.

With an EV (Extended Validation) Authenticode signature: - SmartScreen warning disappears immediately (no reputation-building period — unlike standard OV certs which need weeks of downloads to build trust). - Windows shows the signing entity's name in the UAC prompt and file properties. - Microsoft Intune, SCCM, and most enterprise endpoint protection treat the binary as trusted.

What it costs

An EV code-signing cert: - ~$370/year from SSL.com (also DigiCert, Sectigo, GlobalSign — comparable pricing) - Ships with a hardware USB token (FIPS 140-2 Level 2 requirement) — adds ~$30 + shipping time of ~1 week - Renewable annually; the cert lives on the token, not exportable

One-time setup

1. Buy the cert from ssl.com → Code Signing Certificates → EV under the operator entity name (Mashpee Advisors LLC, DBA OtiumWork).
2. Pass identity verification (corporate documents, phone callback).
3. Receive the YubiKey FIPS token via courier.
4. Install SafeNet Authentication Client (Windows). Activate the token with the PIN they shipped.
5. Find the cert thumbprint: powershell Get-ChildItem -Path Cert:\CurrentUser\My | Select Thumbprint, Subject
6. Set CODESIGN_CERT_THUMBPRINT in your build environment to that SHA-1 thumbprint.

Building a signed release

pwsh scripts/build_client.ps1 -Sign -Verify

Output: - dist/otiumwork-client.exe with SHA-256 Authenticode signature + RFC-3161 timestamp - Printed SHA-256 file digest — paste into the /admin/client upload form - The signature verifies under the standard cert chain (signtool verify /pa /v)

Why not sign in CI?

EV cert private keys live on a hardware token that must be physically plugged in. CI runners don't have hands. Options: - Azure Key Vault HSM-backed signing (~$5/mo + per-op pricing) — supported by signtool, no token needed in CI - SSL.com eSigner cloud service — bundled with their EV cert at no extra cost (slower, more friction)

For a 100-person rollout one operator can sign on their local machine each release — that's fine. Move signing into CI when release cadence exceeds once a week or when more than one person ships the client.

Unsigned-release workaround

The existing user-facing message in the install email still applies:

If Windows Defender shows 'Windows protected your PC', click 'More info' then 'Run anyway'. Harmless false positive for packaged Python apps.

That works but it's not a long-term experience for non-technical users. Plan to sign before the team scales much past 30.