I open this discussion for transparency reasons, and to let the community know that we once again have issues regarding code signing for Windows. I have also written the same statement as an issue on GitHub. To view it, please see here: Zettlr/Zettlr6111
What is Code Signing, and Should Zettlr Users Care?
In short, code signing is a process by which we tell Windows that our software — the Zettlr program that you install — is coming from a reputable source and as such is unlikely to be dangerous. Code signing involves registering with a provider that offers code signing services. That provider will verify the developer's identity through official documents, and then issue a certificate that the developer can use to perform said code signing. This is done so that every Windows computer knows that a reputable authority has verified that I am who I say I am.
If an application is not code signed, Windows will refuse to run the program. On your personal computer, you can simply dismiss this warning with an administrative account, but on your work computer, you likely cannot. IT departments usually do not allow employees to have admin access for good reasons, but this makes it difficult to use Zettlr on such computers.
Currently, Zettlr utilizes a code signing certificate from Microsoft directly. This means that I have proven my identity with Microsoft, and they have issued such a certificate for me, that I currently use to sign Zettlr. This means that you can install Zettlr both on your personal computers and on your work computers.
What is the Issue with Code Signing for Zettlr on Windows?
This certificate that I currently use to sign the app is set to expire on January 31st, 2026 — that's in 24 days, or a bit over three weeks. Unless a miracle happens, I will not be able to renew the certificate, and as such any Zettlr version released after this date will not be code signed.
This means that, if you use Zettlr on your work computers, you might not be able to install any updates after January 31st. Existing releases should continue to work, however.
What Will Happen if the Code Signing Expires?
If the certificate expires with no solution, I will be unable to code-sign the application with Microsoft. That means that Windows will refuse to run Zettlr by default. If you have administrative access to your computer, you will be able to dismiss this warning, but if you don't, then there is no way for you to run Zettlr. What you can do is ask your IT department; they have the power to install software regardless of code signing status.
What are the Next Steps?
Currently, I am in contact with various people, and I am trying to get in touch with Microsoft. However, they charge for even low-priority email support, so I'll likely be facing additional charges to get this resolved.
Other than that, I will be on the lookout for potential other alternatives, although I am not hopeful, given that Microsoft clearly wants to transform Windows into a corporate operating system that disregards individuals, both as users and as developers.
How Can I Help?
Zettlr needs to be code-signed, and as such it would need an authorized entity to sign-up for code signing. Microsoft states that entities who can sign up for code signing are:
- Either individuals located in North America (U.S. and territories, and Canada)
- Or companies located in the Americas, Asia, or Europe that have been incorporated at least three years in the past.
An alternative might be to find another provider, but I do not know which providers fulfill the increased security requirements that Microsoft mandates since last year. In any case, this is unfortunately an issue that cannot be solved by throwing money at it.
If you have any questions or concerns, please comment below.
