Windows build needs to be signed, too

[justvanrossum]

We need to figure out:

• how to do it
• how to get a certificate

[justvanrossum]

The current build can be run, but the Windows malware detector ("Defender") flags it as malware, and you have to take some steps before it can be run.

[ftCLI]

I came across the same issue and found the solution in this e-book: https://www.pythonguis.com/packaging-book/

The main decision you have is between Standard Validation and Extended
Validation. Both are sufficient to sign executables, with EV required only for
drivers. That said, EV is the only way to guarantee that no warnings are
shown — with a normal validation cert you need to accrue "reputation" by
having the software installed on a sufficient number of (internet connected)
machines (that report their installs). If that sounds like too high a bar for
your software, you may want to consider EV.

A list of certificate providers can be found in this page: https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage

Also: https://comodosslstore.com/code-signing

To sign executables: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

[justvanrossum]

Thank you, that is very useful information!