Is Digitally Signing EXE Required?

Discuss how to use the Ren'Py engine to create visual novels and story-based games. New releases are announced in this section.
Forum rules
This is the right place for Ren'Py help. Please ask one question per thread, use a descriptive subject like 'NotFound error in option.rpy' , and include all the relevant information - especially any relevant code and traceback messages. Use the code tag to format scripts.
Post Reply
Message
Author
User avatar
SypherZent
Veteran
Posts: 362
Joined: Fri Sep 02, 2016 3:14 am
Completed: Multiverse Heroes, Space Hamster in Turmoil
Location: Puerto Rico
Contact:

Is Digitally Signing EXE Required?

#1 Post by SypherZent »

Okay so, when I changed the icon for the .exe file to a custom icon, it started triggering Windows Defender and Antivirus software for users who downloaded the game. It took a while to figure it out, but ultimately it was the act of changing the icon that caused this to happen, nothing else.

The software becomes 'untrusted' or something like that when the icon is changed using a .ico when building distributions. We removed the .ico and the game stopped triggering Windows Defender and Antivirus software for users.

Do I need to purchase a Code Signing Extended Validation (EV) certificate and sign the .exe file in order to stop the game from being flagged by other people's machines when they download it? Or is there an alternative solution?

rayminator
Miko-Class Veteran
Posts: 793
Joined: Fri Feb 09, 2018 12:05 am
Location: Canada
Contact:

Re: Is Digitally Signing EXE Required?

#2 Post by rayminator »

are you using the default code?

Code: Select all

define config.window_icon = "gui/window_icon.png"
or are you using a custom code?

but do a full virus scan on your computer your pc might be infected

and do online virus scan to determined if it's a false detection from here
https://www.virustotal.com/gui/home/upload

User avatar
SypherZent
Veteran
Posts: 362
Joined: Fri Sep 02, 2016 3:14 am
Completed: Multiverse Heroes, Space Hamster in Turmoil
Location: Puerto Rico
Contact:

Re: Is Digitally Signing EXE Required?

#3 Post by SypherZent »

I'm including a .ico file when building the distribution.
There is no custom code. I don't know what you are talking about.
Including a .ico file is how Ren'Py documentation says it must be done. (https://www.renpy.org/doc/html/build.html#special-files)
That window icon only changes the icon in the taskbar, not the .EXE icon, right?
I am talking about the .EXE icon, not the taskbar icon.

Also, there is no problem with my antivirus or my computer. Didn't you read my initial post??
Most people who download the game experience Windows Defender and their antivirus telling them the game is from an untrusted source.

I have read that the .EXE file has to be signed digitally, and that I have to spend $600+ to purchase a Code Signing certificate from a Windows Validated distributor so that my company can appear in Windows' trusted partner list on everybody else's machine, so when Windows Defender detects the .EXE it can cross reference it and see it is from a trusted and validated source. Apparently this is only required if actually editing the .EXE file to have a custom icon.

I want to know if there is a way to change the .EXE icon without triggering Windows Defender whenever I distribute my game.
I'm not talking about the WINDOW ICON or TASKBAR ICON. I'm talking about the image that appears on the .exe file itself.
Last edited by SypherZent on Sun Aug 09, 2020 1:40 am, edited 1 time in total.

rayminator
Miko-Class Veteran
Posts: 793
Joined: Fri Feb 09, 2018 12:05 am
Location: Canada
Contact:

Re: Is Digitally Signing EXE Required?

#4 Post by rayminator »

this code is for exe and taskbar icon

Code: Select all

define config.window_icon = "gui/window_icon.png"
and a custom code is something that you created not using the renpy coding
and I never said your computer was infected it was possible or theirs
and I told you that virus scan can detect a false virus regardless if you are using Code Signing certificate from a Windows Validated distributor

that from me bye have a good day

User avatar
SypherZent
Veteran
Posts: 362
Joined: Fri Sep 02, 2016 3:14 am
Completed: Multiverse Heroes, Space Hamster in Turmoil
Location: Puerto Rico
Contact:

Re: Is Digitally Signing EXE Required?

#5 Post by SypherZent »

Ok, I will give that a try. Last time I tested that, it did not change the .exe, but that was about two years ago.
Ever since that time I have been uploading games via Steam where the .ico file is requested separately from the game files (uploaded directly to Steam).

Unfortunately, asking my clients to check their antivirus software is not professional nor proper, so it's out of the question.
The game shouldn't be triggering a false positive at all, ever or it makes the company look bad.

I will see if the window_icon actually changes the .exe next time I build a distribution, and I'll see if it continues to trigger Windows Defender for others, thanks.

User avatar
MaydohMaydoh
Regular
Posts: 165
Joined: Mon Jul 09, 2018 5:49 am
Projects: Fuwa Fuwa Panic
Tumblr: maydohmaydoh
Location: The Satellite of Love
Contact:

Re: Is Digitally Signing EXE Required?

#6 Post by MaydohMaydoh »

window_icon does only change the icon in the taskbar and the window, not the exe. Like you said, the .ico file is all that's needed to change the exe icon. But I do know some anti virus' detect renpy games as a false positive, which is a problem with the anti virus not renpy, but shouldn't be an issue with windows defender just 3rd party anti virus' I think. Other than that, I don't have any ideas.

User avatar
SypherZent
Veteran
Posts: 362
Joined: Fri Sep 02, 2016 3:14 am
Completed: Multiverse Heroes, Space Hamster in Turmoil
Location: Puerto Rico
Contact:

Re: Is Digitally Signing EXE Required?

#7 Post by SypherZent »

Well that is why I asked the question. To my knowledge, it's not that the antivirus or Windows Defender is detecting a false positive, as much as something these operating systems have where you need to be on an internal 'verified developer' list which requires purchasing a license of sorts (or what they call a Digital Signing Certificate).

https://docs.microsoft.com/en-us/window ... ertificate

I want to know if there is a way around this, or if it is absolutely necessary like a standard procedure if I don't want my game being flagged on people's systems.

Going out to thousands of players, this may kill over 50% of my business, if the game is flagged by their antivirus, they may refund it immediately.
I cannot risk this happening. Not at this stage of my business.

Human Bolt Diary
Regular
Posts: 111
Joined: Fri Oct 11, 2013 12:46 am
Contact:

Re: Is Digitally Signing EXE Required?

#8 Post by Human Bolt Diary »

Have you tried creating a shortcut to your executable and changing the icon in the shortcut? If that doesn't trigger Windows Defender, it seems like a cheap compromise.

User avatar
Tayruu
Regular
Posts: 141
Joined: Sat Jul 05, 2014 7:57 pm

Re: Is Digitally Signing EXE Required?

#9 Post by Tayruu »

It seems incredibly bizarre that having a custom icon is triggering a false positive with Windows Defender at all. Defender is usually pretty good in this day and age.

Can you check if you get the false positive when you remove the ico file from the project and rebuild? Or if it happens with a different icon?

drKlauz
Veteran
Posts: 239
Joined: Mon Oct 12, 2015 3:04 pm
Contact:

Re: Is Digitally Signing EXE Required?

#10 Post by drKlauz »

If you change exe icon your binary is changed, if binary is changed then digital signature become invalid, if digital signature is invalid then at best it is treated as non-existent, at worst as if exe was tampered by malware. Plus more and more systems flag unsigned binaries as "potential malware", even if there is virtually no code at all.
General solution would be getting proper code signing for your exe/dll/whatever. Prices usually starts at 75-100$/yr, if you don't plan to change binaries in future then minimal possible term is fine, as you need to sign binary only once while certificate is valid. Main problem tho is you actually need to be verified.
Idea with shortcut/link file may actually work, try it.
Maybe PyTom might offer extra service, re-signing exe files with custom icon and version info manifest, as there will be no risk and he need to sign exe files anyway. Try to ask him maybe, he does mac-related things already i believe, might help with win ones too.
I may be available for hire, check my thread: viewtopic.php?f=66&t=51350

User avatar
SypherZent
Veteran
Posts: 362
Joined: Fri Sep 02, 2016 3:14 am
Completed: Multiverse Heroes, Space Hamster in Turmoil
Location: Puerto Rico
Contact:

Re: Is Digitally Signing EXE Required?

#11 Post by SypherZent »

Ok, I will do some testing with a shortcut file.
Still have a few weeks before I dedicate time to the .ico again. Am in a crunch phase right now (hence the delayed replies).

Thanks for the replies, everyone, will update if/when I find a solution.

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot]