Building and Signing Prism Validator on Windows

This guide explains how to build the Prism Validator Windows application from source and sign it for distribution to IT departments.

Prerequisites

1. Python 3.8 or higher installed on your system

   • Download from: https://www.python.org/downloads/

   • Make sure to check “Add Python to PATH” during installation

2. Git (if cloning the repository)

   • Download from: https://git-scm.com/download/win

Code Signing for IT Departments

IT departments often require signed executables. Here’s how to sign your Windows build for free (for open source projects):

Option 1: SignPath.io (Recommended - FREE for Open Source)

SignPath provides free code signing for open source projects and integrates with GitHub Actions.

Setup Steps:

1. Apply for Free OSS Signing:

   • Go to: https://about.signpath.io/product/open-source

   • Fill out application with your GitHub repo URL

   • Approval usually takes 1-2 business days

   • You’ll receive an organization ID and API token

2. Add Secrets to GitHub:

   Repository Settings → Secrets and variables → Actions → New repository secret
   

   Add:

   • SIGNPATH_API_TOKEN: Your API token from SignPath

   • SIGNPATH_ORGANIZATION_ID: Your organization ID from SignPath

3. The Workflow Automatically Signs:

   • Already configured in .github/workflows/build.yml

   • Signing happens automatically when you create a release tag

   • Only signs if secrets are present (gracefully skips if not)

4. Create a Release:

   git tag -a v1.0.0 -m "Release v1.0.0"
   git push origin v1.0.0
   

   The signed executable will be in the GitHub release artifacts.

What Gets Signed:

• ✅ PrismValidator.exe - Main executable

• ✅ Certificate chain validates to trusted root

• ✅ SmartScreen won’t block (after reputation builds)

• ✅ IT departments can verify signature

Option 2: Self-Signed Certificate (FREE but LIMITED)

Pros: Completely free, can do locally Cons: Windows SmartScreen will still warn, IT departments may not accept

Only use if SignPath doesn’t work for your needs.

Create Self-Signed Certificate:

# Run PowerShell as Administrator
$cert = New-SelfSignedCertificate `
    -Type Custom `
    -Subject "CN=PRISM Validator, O=MRI Lab Graz, C=AT" `
    -KeyUsage DigitalSignature `
    -FriendlyName "PRISM Validator Code Signing" `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")

# Export certificate
$password = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText
Export-PfxCertificate `
    -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" `
    -FilePath "PrismValidator-CodeSigning.pfx" `
    -Password $password

Sign the Executable:

# After building with PyInstaller
signtool sign /f "PrismValidator-CodeSigning.pfx" /p "YourPassword" /t http://timestamp.digicert.com "dist\PrismValidator\PrismValidator.exe"

Note: You’ll need to distribute the certificate to IT departments who will need to manually trust it.

Option 3: Submit to Microsoft for SmartScreen Reputation

Even with a valid signature, Windows SmartScreen may warn until your app builds reputation:

1. Sign with SignPath (or paid certificate)

2. Submit to Microsoft:

   • Go to: https://www.microsoft.com/en-us/wdsi/filesubmission

   • Upload your signed executable

   • Request reputation review

3. Build Reputation:

   • Downloads from many users over time

   • SmartScreen warnings decrease automatically

Verifying the Signature

After signing, verify it works:

# Check signature
Get-AuthenticodeSignature "dist\PrismValidator\PrismValidator.exe"

# Should show:
# Status: Valid
# SignerCertificate: [Your certificate]

In Windows Explorer:

1. Right-click the .exe file

2. Properties → Digital Signatures tab

3. Should show valid signature

Quick Start (Building)

Option 1: Using PowerShell (Recommended)

1. Setup the environment: Open PowerShell in the project directory and run:

   .\setup.ps1 -Build
   

2. Build the application:

   .\scripts\build\build_windows.ps1
   

Option 2: Using Command Prompt

Open Command Prompt in the project directory and run:

build_windows.bat

Option 3: Manual Build

If the automated scripts don’t work, follow these steps:

1. Create virtual environment:

   python -m venv .venv
   

2. Activate virtual environment:

   .venv\Scripts\activate.bat
   

3. Install dependencies:

   python -m pip install --upgrade pip
   pip install -r requirements.txt
   pip install -r requirements-build.txt
   

4. Create survey_library folder (optional but recommended):

   mkdir survey_library
   

5. Build the application:

   python scripts\build\build_app.py
   

Output

After a successful build, you’ll find the application in:

dist\PrismValidator\PrismValidator.exe

You can:

• Run it directly: dist\PrismValidator\PrismValidator.exe

• Double-click PrismValidator.exe in Windows Explorer

• Copy the entire dist\PrismValidator\ folder to another location

Troubleshooting

“Python not found”

• Make sure Python is installed and added to your PATH

• Try using py instead of python: py -3 -m venv .venv

“Failed to create virtual environment”

• Make sure you have write permissions in the project directory

• Try running PowerShell or Command Prompt as Administrator

“PyInstaller build fails”

• Make sure all dependencies are installed: pip install -r requirements-build.txt

• Check if antivirus software is blocking PyInstaller

• Try running with --debug flag: python scripts\\build\\build_app.py --debug

Missing icon

• The build script will automatically use the PNG logo from static/img/MRI_Lab_Logo.png

• If the file is missing, the build will continue without an icon

survey_library warnings

• The survey_library folder is optional

• If you see a warning, the build will continue normally

• The folder is only needed if you use the survey management features

Building for Distribution

The built application in dist\PrismValidator\ includes:

• PrismValidator.exe - Main executable

• _internal\ - Required libraries and data files

• All templates, static files, and schemas

To distribute:

1. Compress the entire dist\PrismValidator\ folder to a ZIP file

2. Share the ZIP file with end users

3. Users can extract and run PrismValidator.exe without installing Python

Platform-Specific Notes

• The Windows build uses a folder-based distribution (--onedir)

• All dependencies are packaged in the _internal folder

• The application runs without a console window (--windowed)

• Icon support requires a PNG or ICO file (automatically handled)

Next Steps

After building:

• Test the application: cd dist\PrismValidator && .\PrismValidator.exe

• The web interface will start on http://localhost:5001

• Check the logs if the application doesn’t start

See Also

• General Installation Guide

• Windows Compatibility Notes

• Windows Setup Guide