Description:
The SETUP.EXE as found in our windows ZIP package is not signed. There appears to be confusion as to what is signed, who is supposed to sign it and so forth. From IRC:
(5:29:05 PM) pstoev: jperkin: our windows setup.exe inside the zip is not signed, is that ok?
(5:36:01 PM) pstoev: bteam: do we sign our installers under windows?
(5:36:30 PM) jperkin: pstoev: hm, it should be, I will look..
(5:36:39 PM) joerg: pstoev: We "packsign" the whole resulting package, but not the individual files.
(5:37:00 PM) pstoev: setup.exe from the ZIP was not signed
(5:37:04 PM) wlad: pstoev: I think the binaries (*.exe) are signed, but on some reason not the setup.exe and not the *.msi .
(5:37:30 PM) pstoev: well I thought it must be the other way around -- the installer must be signed so that you do not get a bunch of
(5:37:35 PM) pstoev: warning boxes from windows
(5:37:37 PM) jperkin: ah, will defer to wlad (I know they sign something as we had problems with the key expiring a while ago, but not sure what)
(5:37:57 PM) pstoev: I think whether mysqld.exe is signed or not does not result in any extra warnings , once it has been installed as a service
(5:38:55 PM) wlad: jperkin: defer to iggy . I'm not that good in installer, cannot even remember the right CVS location for it;)
(5:48:48 PM) kent: pstoev: Signing of the installer is in the pipeline, we will move in 5.1 to use MSI packages, and part of that is to sign them. Thanks to work done by iggy
How to repeat:
run setup.exe from the zip. The dialog box says "unknown publisher".
Suggested fix:
Determine official company policy regarding signed binaries and follow it. Check for signature during package verification.
