What's mean "Signed by Pubisher"?

If you look applications with Singed by Publisher green badge, it means the application was signed by SSH private key which owned by the publisher's GitHub account.

You can verify it manually by following steps.

How to verify an app was signed by publisher or not?

Prerequirements of this article

Step 1. Get the SSH public key of publisher's GitHub account

  1. Open link the publisher's GitHub profile page.
    fig.1
  2. Append ".keys" to the URL, and open it.
    fig.2
  3. Then, you will look the publisher's SSH public keys.
    fig.3

Step 2. Get the public key of the application signed

  1. Open certificate link, and download .cer file of the application signed.
    fig.4
  2. Open command prompt, and extract the public key from .cer file (DER format) and save it to file with PEM format by following command.
    > openssl x509 -in ".cer file path" -inform DER -pubkey -noout > "PEM public key file path"
  3. Convert public key format from PEM to SSH by following command.
    > ssh-keygen.exe -i -m PKCS8 -f "PEM public key file path"
  4. Then, you will look the public key with SSH format that used for code signing.
    fig.5

Step 3. Compare public keys

Compare public keys with SSH format both from Step 1 and Step 2.

If these public keys are same, it means the application was signed by private key which owned by the publisher.

If you trust the publisher, and validated the application signed by publisher's private key in this way, you may be able to trust the application.

How to sign an application by your GitHub account SSH key?

Prerequirements of this article

Steps

  1. Configure "C:\Program Files\OpenSSL\bin\openssl.cfg": Common name, expiration days, etc...
  2. Open command prompt, and execute following command to generate a self signed certificate (.cer file).
    > openssl req -new -x509 -key "%HOME%\.ssh\id_rsa" -out "output .cer file path"
  3. And generate .pfx file which contains the private key by following command.
    > openssl pkcs12 -export -inkey "%HOME%\.ssh\id_rsa" -in ".cer file path (generated before step)" -out "output .pfx file path"
  4. After yo get .pfx file, register the .pfx file to your PC's certificate store as personal certificates. You can do it by double clicking .pfx file in Explorer.
    fig.6
  5. Configure your ClickOnce application project in Visual Studio, chose certificate via Project Property >"Signing" category > [Select from Store...].
    fig.7