Windows 8 code signing / User Account Control working

[jim618]

I have got the Windows code signing working so that now when you install on Windows 8 you get a 'nice' User Account Control message as follows:



This is surprisingly fiddly to set up because you need a 'real life' identity confirmed with the certificate issuing company and then have to fiddle around with an acronym soup of different private key/ public key/ certificate files.

Also, thanks to a tip from petersvp on github, I have got the installer to automatically elevate and install with administrator rights. This should get rid of the problems with permissions on installing to the Program Files (x86) directory.

edit: improved icon

[Mike Hearn]

Nice! What was involved in getting the code signing cert tied to your real identity?

[jim618]

That was quite amusing.
I used StartSSL which is an Israeli company.

Living on a boat I have an accommodation address in London but obviously don't have any 'real' bills there.
There wouldn't accept things like credit card statements as they are obviously too easy to forge. I think I sent them passport and driving licence photos but they also wanted proof of address.

In the end they sent me a piece of paper with a code on to my accommodation address. That crosses Europe by snailmail. Then it got forwarded to the family member who gets my mail. They then read the random code out over the phone and I type it into my control panel.

Voila !

[Mike Hearn]

Yeah, proving residential addresses is something required for AML/KYC purposes as well. It'd be interesting to find a way to make that process faster and more reliable, though I don't have any great ideas. I thought about something like "use OAuth to grant website.com access to your Google location history" on the assumption that a long term location history is somewhat hard to forge, but then again I don't know how hard they think it is to forge utility bills. It seems strange that they'd consider a credit card bill easy to forge given that to get one you need a bank account, and the bank itself does a check of residential address.

[Atruk]

Yeah, proving residential addresses is something required for AML/KYC purposes as well. It'd be interesting to find a way to make that process faster and more reliable, though I don't have any great ideas. I thought about something like "use OAuth to grant website.com access to your Google location history" on the assumption that a long term location history is somewhat hard to forge, but then again I don't know how hard they think it is to forge utility bills. It seems strange that they'd consider a credit card bill easy to forge given that to get one you need a bank account, and the bank itself does a check of residential address.

I guess they figure for utilities you wouldn't be paying them unless you were living there. I find Google location history even more problematic though, because usually Google misses me by about 35 - 45 miles.

[balanghai]

Yeah, proving residential addresses is something required for AML/KYC purposes as well. It'd be interesting to find a way to make that process faster and more reliable, though I don't have any great ideas. I thought about something like "use OAuth to grant website.com access to your Google location history" on the assumption that a long term location history is somewhat hard to forge, but then again I don't know how hard they think it is to forge utility bills. It seems strange that they'd consider a credit card bill easy to forge given that to get one you need a bank account, and the bank itself does a check of residential address.

I guess they figure for utilities you wouldn't be paying them unless you were living there. I find Google location history even more problematic though, because usually Google misses me by about 35 - 45 miles.

That may be right but I think they make it look like that so one can think that "oh they can't even trace me on the map". I guess they made a protocol to protect individuals from another civilian snoop but not from the NSA.