3

My problem: I have made a PC game (not created with Visual Studio) and turned it into a setup.exe by means of a setup creator. When running this setup file, the user will get this warning from Windows: "Do you want to allow this app from an unknown publisher to make changes to your PC?" My guess is that my file needs to be signed or certified somehow at Microsoft.

My question: Can anyone tell the correct steps I have to follow so that the user won't get this warning ?

Aguilo
  • 49
  • 7
  • 2
    Microsoft could not fight malicious software by blacklisting them, so they turned into white-listing those they do trust, practically almost killing independent developers, who may not be able, or willing, to pay hundreds of dollars for certificates. this is a state which we just have to accept. or move to linux. – Stavm Apr 27 '17 at 14:45
  • I agree with you @Stavm – Adds Apr 27 '17 at 14:47
  • 1
    @stavm "Microsoft could not fight malicious software by blacklisting them, so they turned into white-listing those they do trust" -- Sounds reasonable to me. If linux gains enough market share would it not have the same problems? People won't waste their time writing malicious software for linux when it will gain them 1/1000th the amount of money. Having to click "yes" on a dialog seems a far cry from "almost killing indepedent developers", especially when users are trained to click through 4+ dialogs every time they install something *anyway*. – Quantic Apr 27 '17 at 15:19

3 Answers3

7

After some suggestions from @HarryJonhston I'll update the answer. and post the original answer below. Here is the update:

You haven't actually discovered the real problem yet. If your application is not digitally signed with EV certificate and it is downloaded from the internet, you'll get the security prompt much worse than that and most people won't be able to pass by without instructions as accept button isn't even visible by default (e.g. see it here http://labsii.com/share-to-speech-office-outlook-plugin-beta/).

So strictly speaking to answer your question you can get any certificate and Windows won't show on your device 'Unkown publisher' anymore, it will rather show the name of your company.

But as you will probably distribute the installer out of your device everything that I've said originally remains:

You need to sign the setup.exe with an EV certificate. They are rather expensive and hard to get.

You may also publish the game in the Windows Store as a way to avoid the prompt (it has some limitations but most games shouldn't have the problem to fit in), use the Desktop App Converter tool. You will need to sign as a Microsoft developer, but that's cheap comparing to all other options (20$).

You may also get a regular signing certificate which costs less, but it won't remove the prompt immediately, it will be removed only after Microsoft picks enough data that it can ensure that it is secure.

Ivan Ičin
  • 9,672
  • 5
  • 36
  • 57
  • For clarification, is the Microsoft developer fee one-time or per-product or per-year? – ashes999 Apr 27 '17 at 15:43
  • @ashes999 Microsoft developer is one time fee. – Ivan Ičin Apr 27 '17 at 18:53
  • I may be wrong, but I think you're confusing two different prompts here? The UAC elevation dialog that the OP appears to be asking about should **always** appear, and if the code is signed it should display your vendor name. I don't *think* there's any requirement for an EV certificate here, though I guess the dialog might look a little different depending on whether you've got one. – Harry Johnston Apr 27 '17 at 21:31
  • ... entirely separate from that, if Microsoft SmartScreen is on, the user will be warned if various heuristics (including the type of certificate and how often the app has been seen before) suggest that the software might not be unsafe. No? – Harry Johnston Apr 27 '17 at 21:32
  • @HarryJohnston those are two different dialogs. OP has clearly described how his looks like, and no it isn't even close to what you ask as most users can't install the app with the dialog that his ask as accept button is hidden by default and requires several clicks to appear at all. – Ivan Ičin Apr 27 '17 at 21:54
  • Hmmm. On Windows 7 and 8.1, the UAC dialog (the only one I see) says "Do you want to allow the following program from an unknown publisher to make changes to this computer?" and has Yes or No options. I can't check Windows 10 right now. I'll get back to you. The OP did explicitly say that he is talking about the UAC warning. – Harry Johnston Apr 28 '17 at 00:06
  • 1
    @HarryJohnston you are right that there is another wording in SmartScreen filter that I was thinking about. It is not available on Windows 7 though. It is available for Windows 8.1, but you must download the file from the internet to see it. I'll update the answer. – Ivan Ičin Apr 28 '17 at 00:32
  • [More information about SmartScreen and EV certificates here.](https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/) – Harry Johnston Apr 28 '17 at 00:49
1

You can try getting the authenticode certificate I used. here is the link for that : https://www.sslshopper.com/microsoft-authenticode-certificates.html

I used digicert and they have good response times.

Adds
  • 601
  • 2
  • 12
  • 24
1

Thanks guys. herewith a summary including some of the research I did myself in the meanwhile: The solution goes indeed through:

  • Windows Store Publishing: in that case however mind that the setup is supposed to be MSI and the application UWP. So in my case I will need to do conversion with the Desktop Bridge
  • Buying an Authenticode Certificate through a CA (certificate authority). Signing goes by means of signtool.exe which is part of the SDK. The signing command is entered through the command prompt screen. Here is a command line example in case Symantec is the CA: signtool.exe sign /a /s MY /n "appname" /fd sha256 /tr www.sha256timestamp.ws.symantec.com/sha256/timestamp /v "C:/ ..../mySetup.exe" Mind to use the new hash: sha256 in stead of the old one as discussed here
Community
  • 1
  • 1
Aguilo
  • 49
  • 7