7

So I had a certificate from Comodo and bought via KSoftware that I use to sign my software so it does not generate a warning when users download it, this has been working fine but the 2 year certificate expired last month. I purchased a new certificate last week and applied to a new version of my application but now when I download it warns me unknown publisher, and wierdly when I click on more info it shows my full address instead of just my company name JThink.

I have looked at my old and new certificate in browser and noticed I had Jthink ltd in old certificate and JThink in new one, would this cause an issue ?

Update

Smart Screen Problem

Comodo tell me there is a period of time before Microsoft start accepting new certificates and it would still be a problem even if the company information was identical because the certicate no is different.

Is this true, and what length of timescale are we talking about here ?

Paul Taylor
  • 13,411
  • 42
  • 184
  • 351
  • Did you check with `Windows App Certification Kit (WACK)` as recommended in http://stackoverflow.com/questions/12311203/how-to-pass-the-smart-screen-on-win8-when-install-a-signed-application ? – osgx Feb 19 '17 at 16:38
  • @osgx no thanks that sounds like a plan, albeit a right pain in the ass to have to attempt it – Paul Taylor Feb 20 '17 at 13:35

2 Answers2

1

You need to just wait some time. Windows collects different data for your new certificate (total downloads count, etc.) and in some near future (depends on downloads rate) it will mark it as white listed (if it's all OK). And all your downloads signed using this new certificate will not be blocked anymore.

The same mechanism applies (as I think) on downloads without certificates at all. Windows collects the file reputation and after some critical amount of "good-experience" downloads it marks the file as OK. The same logic applies to certificates. Thus you do not need to wait anymore if your certificate has a "good reputation".

Alexander Dyagilev
  • 1,139
  • 1
  • 15
  • 43
  • My app is for a extremely narrow "market," a 65 at most, so I'm guessing it will never get whitelisted with a Standard certificate. Yet, "Market" is quoted because it's free to users, so EV is out of the question. What should I do? – Ed S Mar 29 '17 at 15:20
  • Sorry, I do not know... I've not a popular software also (as my hobby). Its installer is not signed at all. It has about 400 downloads per month. I've updated it recently - on Feb 5, 2017. Just checked - Edge, Chrome, Firefox browsers gives me no warning when I download and run the installer. – Alexander Dyagilev Mar 30 '17 at 05:30
0

You need to use Extended Validation Code signing certificate which provides more trusted security certificate for your Windows binary. Regular code signing certificates are not validated by Windows smart screen protection.

I had the similar issue when Windows 10 was released with Windows smart screen protection with more advanced security features.

https://www.digicert.com/code-signing/ev-code-signing.htm

Gurdev Singh
  • 1,996
  • 13
  • 11
  • Gurdev Really I cant afford those, will a standard certificate eventually work ? – Paul Taylor Feb 26 '17 at 13:21
  • Paul Taylor, yes, it will. :) – Alexander Dyagilev Feb 26 '17 at 13:23
  • @AlexanderDyagilev windows smart screen protection works on the data collection based on the users who trust a software publisher. Standard certificate will work but unless Microsoft collects enough data from user selecting "Trusted". For quick confirmation of you as trusted publisher EV certificate would be required. Please check this link https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/ – Gurdev Singh Feb 26 '17 at 14:31
  • Yes, you're right. But, it would be better to say that not "trusted" but allowed to run. Thus more downloads - more runs - less time to white list. – Alexander Dyagilev Feb 26 '17 at 14:45