The basic problem is stated in the discussion thread Windows says that Foldit is a malware.
Windows Defender blocks installation of Foldit, requiring the user to click through at least two layers of warnings to complete the installation. Other antivirus packages may be similar.
This is not a good way to recruit new players.
The Mac version is already signed, so we know it's technically feasible without breaking the update model.
Thankyou for your instructions and the reasons for those extra security warnings, they are very helpful for any Windows users !
I have asked for (and received) in the old websites forums, a hand verified checksum for the Installer for me to verify it. It is standard practice to publish this anyway, from before the days of File-Signatures ! Yes, Anti-virus is a great thing, but code-signing makes it enforceable from the Operating Systems perspective.
A little example is happening right now :
If anyone has used a text editor to replace Windows Notepad, you may have heard of 'Notepad++'.
It is open source (which I didn't know), but has been around for Donkey's Years. Anyway they have just this current version (8.3.3) switched over to 'self-signing' their code releases. Which for us users means that you are given a copy or their 'Root Certificate CA' to install in your machines library store for certificates. This will allow your local security (Windows) to verify all software they release as being of their origin.
This could be a valid model for signing FoldIt and any Installer etc. It does not involve using Microsoft Developer platforms at this level.
To quote the Notepad++ explanations :
"We’re still trying to obtain a certificate issued by conventional Certificate Authorities, for a better user experience. But let’s be honest: it’s probably not happening. Notepad++ isn’t a business - it’s certainly not an enterprise - and apparently, that makes a popular open-source project invisible to their gatekeeping standards.
If the “gatekeepers” won’t issue a certificate under the name we deserve - so be it. At least it spares us from wasting time and energy on a frustrating process that demands we beg for a new certificate every 3 years. The Notepad++ Root Certificate may not carry their approval, but it leads us to freedom."
and
(on using a certificate) : 'allowing antivirus vendors, IT teams and users to verify the authenticity of each release.'
When checking the software's signing, Windows informs us that 'This certificate is intended for the following purpose(s):
I don't know about possible level(s) of vulnerability of the 'chat' features that are identified, but you can replace the functionality with your own anyway. Also the version of Lua used is already a minimal sandboxed implementation, and now even safer for being integrated with the website
I am guessing that this can be done at a no-fee overhead since you aren't lodging a copy of any private key and certificate at some world renown storage facility etcetera