Archi.exe Signature Invalid

ostkrokens · November 01, 2021, 08:10:11 AM

Dear,

Version 4.9.1

The signature of Archi.exe is invalid.

Can you please update and verify? Thanks.

Phil Beauvoir · November 01, 2021, 08:20:11 AM

Hi,

what do you mean by "invalid" and what signature?

Perhaps you could provide some detail about your issue that we could act on...

ostkrokens · November 01, 2021, 08:49:47 AM

Thanks for your reply.

Once the application is installed under $ProgramFiles - the Archi.Exe executable signature is not valid

https://imgur.com/a/mqX04AP

Please let me know if you need further information

Phil Beauvoir · November 01, 2021, 09:11:43 AM

The "Archi.exe" file is generated from a base "eclipse.exe" file signed by the Eclipse Foundation. The Archi icon is embedded into it so, yes, the digital signature will no longer be valid. This has been the case since Archi 4.6. In fact, Archi is not the only app with an exe file of this format, download this app and you'll see the same digital signature and "invalid" message.

Here are your options:

Build your own binaries from the source and provide your own digital signature. See https://github.com/archimatetool/archi/wiki/Building-the-Binaries
Copy the "eclipse.exe" file from a Windows Eclipse distribution, rename it to "Archi.exe" and replace the existing one
Use the Windows "signtool" application to remove the signature using this command: "signtool remove /s Archi.exe" (in fact I will do this for future versions of Archi)
Do nothing and just enjoy the fact that Archi is free and open source software that works just fine regardless of this

More information:

https://github.com/eclipse/tycho/discussions/353
https://bugs.eclipse.org/bugs/show_bug.cgi?id=565937

Bain19 · January 13, 2023, 16:29:09 PM

Just going to leave this here for the google bot and others users that this snags.
"Windows protected your PC"
"Unknown publisher"
"Archi.exe"

Without valid signatures, Archi will be constantly getting flagged as a risk by windows.

You can go around it and force the execution by launching it via commandline vs mouse click, but this is starting to feel like hostile architecture.

Phil Beauvoir · January 13, 2023, 17:16:26 PM

> Without valid signatures, Archi will be constantly getting flagged as a risk by windows.

Even with a code signature SmartScreen will still flag an app as unrecognized until it has built up reputation. To keep SmartScreen totally happy one has to sign the app with an Extended Validation (EV) certificate.

An EV certificate can cost up to £800 per year. To apply for one you need to secure the services of a lawyer to notarize the EV certificate application process. Individuals can't apply for an EV certificate. only companies can. I am not a company.

Phil Beauvoir · January 14, 2023, 16:00:28 PM

SmartScreen complains because an app has little or no "reputation"....according to Microsoft.

In addition, two *.exe files are not signed:

1. Archi.exe (the main executable launcher)
2. Archi-Win64-Setup-X.X.X.exe (the installer)

One way to solve this when building Archi:

1. Use the "eclipse.exe" file renamed to "Archi.exe". This is signed by the Eclipse Foundation but has the Eclipse icon, not the Archi icon. This gets packaged in the Archi-Win64-X.X.X.zip distribution.
2. No longer distribute the Archi-Win64-Setup-X.X.X.exe installer.

Phil Beauvoir · January 18, 2023, 00:27:51 AM

I've managed to secure a code signing certificate from Sectigo and the next release of Archi 5 will be signed.