4

I had a code-signing certificate for the last 3 years. When I signed my software with it, the signature did not cause any SmartScreen warnings when the software was downloaded from the Internet.

This certificate was expiring this month, so I renewed it with the same company for another 3 years.

The issue it created is that now when I sign my software, the new certificate does not have any reputation with the Windows 10 SmartScreen, so when the software is downloaded and run, it shows this warning:

enter image description here

(I've been signing my software with it for over 2 weeks now. And the warning is still there.)

I know it's a slim chance, but is there a way to link this new certificate to the old one to preserve the old cert's reputation with SmartScreen?

PS. This "cert renewal business" and the loss of reputation is costing me dearly in the number of installs of my software. Also, why do developers have to pay with the reputation loss for the cert renewals.

c00000fd
  • 20,994
  • 29
  • 177
  • 400
  • 1
    A quick follow-up. I remember I ended up [submitting my executable here](https://www.microsoft.com/en-us/wdsi/filesubmission) to MSFT. I'm not sure if it helped, or not. But it took about 2-3 weeks before my updated signature began being recognized by them again without triggering that nasty warning. – c00000fd Dec 17 '19 at 17:55

2 Answers2

3

Not an exact answer to your question, but I think this method might help you as well:

Create a small installer package that does nothing else than download and run the real, up to date installer EXE/MSI from a webserver (let's call it "secondary installer") and runs it.

You can update the "secondary installer" as often as you want, but by all means avoid any changes (rebuilds) of the "primary installer".

Why does this work?

  • You need to code sign the primary installer only once. As long as the EXE remains as-is, it's signature and reputation is valid even when the certificate itself expires (an expired certificate won't let you sign new code, but already signed code remains valid).
  • Smart Screen only checks your primary installer. It apparently does not care if that program downloads and runs other programs.

Of course, your primary installer (or, more exactly, it's certificate) still needs to gain reputation, but after that, you're set.

I used Inno Setup along with the Inno Download Plugin to create such a "primary installer" (resulting in a ~700 kb Setup).

Udo G
  • 12,572
  • 13
  • 56
  • 89
  • Yeah, that's an interesting approach. I'd call it a `bypass` of their SmartScreen. I've seen this done many times. Heck, even MS VS installer does a similar thing. So I guess when you download your 2nd executable yourself you obviously clear it's `Mark-of-the-web` stream before running, right. It's a much more involved solution for my liking, but I can see how it may be appropriate. In my case it took about 2-3 weeks before the updated signature began being recognized again. Very annoying, but I guess I had to go through it. No way to argue with the ""wisdom" of MSFT. – c00000fd Dec 17 '19 at 17:52
  • As a bonus, the first installer can automatically choose the appropriate installation package (32/64bit, for example). – Udo G Dec 17 '19 at 19:32
  • Yeah, I hear you brother. – c00000fd Dec 17 '19 at 19:33
  • I see no alternative to this solution, unless you go with an EV certificate. Otherwise you'll have the same problem again once your ceetificate exoires, loosing precious time waiting for "reputation".. – Udo G Dec 17 '19 at 19:34
  • I tried to get an EV cert, but they didn't issue it to me as a sole proprietor (with a company.) Do you have any experience with EV certs yourself? – c00000fd Dec 17 '19 at 19:36
0

It is by design of MS for every renewal you will have to build trust only then the smart screen filter will be removed for your certificate. If you need immediate reputation you need to purchase EV CS. I know it is too costly for EV CS but we have no other choice. Even microsoft don't answer this question. Either bare the cost or live with it wait for the reputation to build.

Pradeep Kumar V
  • 23
  • 8
  • Well, saying "just purchase an EV cert" is not a fair answer. I tried and I they won't sell it to a freelance developer that is not associated with a business. Am I missing something about those EV certs? – c00000fd Oct 17 '19 at 20:46
  • For getting EV certs from CA you need to have registered business.. either get register as sole proprietor or a Pvt limited to obtain EV. It is a rule from CAB forum.. – Pradeep Kumar V Oct 18 '19 at 08:40