Shipping the Windows binaries unsigned now has hard, measured costs across four independent fronts. This issue consolidates them as the business case for obtaining an Authenticode certificate — the SignPath Foundation free OSS program is the target.
The measurement that settles it
uffs-broker --install timing on a real Norton box (elevated), isolating each step:
| step |
Norton ON |
Norton OFF |
ratio |
sc create (register auto-start service) |
40,022 ms |
13 ms |
~3,000× |
sc start |
33 ms |
— |
— |
| service → RUNNING (exe launch scan) |
~10 s |
— |
— |
Registering a new auto-start LocalSystem service pointing at an unsigned binary is the textbook malware-persistence signal, so Norton deep-scans it synchronously. Signed binaries with established reputation are not gated this way.
The four fronts a signature fixes
- Broker
WinVerifyTrust is inert. The Access Broker verifies the daemon's Authenticode before vending elevated volume handles — the zero-UAC path's client authentication. Unsigned = the check can't do its job.
- Defender false-positive (
Trojan:Win32/Sprisky.U!cl) blocked winget PR #395548; needed a manual WDSI submission to clear. Recurs per release on unsigned, low-prevalence binaries.
- Norton scan on
--uninstall — every downloaded binary re-scanned; painful UX (reported live).
- Norton 40s gate on
sc create — the measurement above. A one-time install cost today, but a concrete, quantified example of the unsigned tax.
Cost of NOT signing (recurring, per release, forever)
- Each release ships new unknown hashes → no prevalence → repeated AV scans / FPs / gates on every user machine.
- The zero-UAC broker security model is weaker than designed.
- winget submissions risk re-blocking on Defender FPs.
Recommendation
Apply to SignPath Foundation (free code signing for OSS). Then wire signing into release.yml (sign the Windows binaries before packaging/upload). Once signed + prevalence builds, all four fronts resolve. The 40s→13ms number above is a clean before/after for the application.
Related
- Broker install narration/spinner fix (the silence during the 40s): PR to land shortly. The 40s itself is AV/trust, not fixable in code.
- Prior context: winget FP (#395548 / WDSI d08a4830, cleared), broker Authenticode design.
Shipping the Windows binaries unsigned now has hard, measured costs across four independent fronts. This issue consolidates them as the business case for obtaining an Authenticode certificate — the SignPath Foundation free OSS program is the target.
The measurement that settles it
uffs-broker --installtiming on a real Norton box (elevated), isolating each step:sc create(register auto-start service)sc startRegistering a new auto-start LocalSystem service pointing at an unsigned binary is the textbook malware-persistence signal, so Norton deep-scans it synchronously. Signed binaries with established reputation are not gated this way.
The four fronts a signature fixes
WinVerifyTrustis inert. The Access Broker verifies the daemon's Authenticode before vending elevated volume handles — the zero-UAC path's client authentication. Unsigned = the check can't do its job.Trojan:Win32/Sprisky.U!cl) blocked winget PR #395548; needed a manual WDSI submission to clear. Recurs per release on unsigned, low-prevalence binaries.--uninstall— every downloaded binary re-scanned; painful UX (reported live).sc create— the measurement above. A one-time install cost today, but a concrete, quantified example of the unsigned tax.Cost of NOT signing (recurring, per release, forever)
Recommendation
Apply to SignPath Foundation (free code signing for OSS). Then wire signing into
release.yml(sign the Windows binaries before packaging/upload). Once signed + prevalence builds, all four fronts resolve. The 40s→13ms number above is a clean before/after for the application.Related