I need to stick with the build pipeline I already have (it was a big project that I was glad to be done with…), but I can share my WiX scripts if it’s helpful.
> And then there’s the signing, which used to involve a $600 physical USB > token, but which can now be done on GitHub Actions using Azure Trusted > Signing. > Exactly the switch we're looking at right now. Although I have some concerns > about the difference in trust of the certificate. Are you using it now? How > have you found it? Azure Trusted Signing works great! It successfully prevented the Windows Defender warning from appearing, just like the Sectigo Extended Validation physical USB token I used before. I just talked to someone else who has also recently switched from physical USB tokens to Azure Trusted Signing. It seems like it’s the way forward for signing on Windows. I followed the instructions on https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/ and then used the https://github.com/Azure/trusted-signing-action from a GitHub Actions script. -- Eirik From: Neil C Smith <neilcsm...@apache.org> Reply-To: "dev@netbeans.apache.org" <dev@netbeans.apache.org> Date: Friday, March 14, 2025 at 4:48 PM To: dev <dev@netbeans.apache.org> Subject: Re: Re : Re: heads up: windows installer/uninstaller issues On Fri, 14 Mar 2025, 20:13 Eirik Bakke, <eba...@ultorg.com.inva<mailto:eba...@ultorg.com.inva>lid> wrote: I only know how to generate MSI files with the WiX toolset ( https://www.firegiant.com/wixtoolset/), which must run on Windows. Yes, this is exactly what we want. NBPackage is designed to run with platform-specific tools, just like JPackage. The NBPackage tool builds an image of all files and configuration, then executes the native build tool. I was planning on looking at WiX sometimes soonish, but if anyone else wants to get there first that'd be great! And then there’s the signing, which used to involve a $600 physical USB token, but which can now be done on GitHub Actions using Azure Trusted Signing. I don’t think the dependencies on these Microsoft-centric tools can be avoided. Exactly the switch we're looking at right now. Although I have some concerns about the difference in trust of the certificate. Are you using it now? How have you found it? Signing can be done cross platform with JSign afaik mind you. Best wishes, Neil
