0

We have finally completed the first market-ready version of our product (MS-Word Plugin). We've sent the download link (.exe hosted on AWS S3) out to our potential clients, but apparently most of them get security warning when visiting the download site and therefore won't download anything.

We've already sent our installer for inspection to Microsoft hoping to get validated for Edge, but I assume the process will take a few weeks.

What instant solutions are there? We've already thought of sharing a dropbox link, but we would like to have sth. more professional. We really appreciate any feedback since our situation is more than sub-optimal

Sven
  • 1,014
  • 1
  • 11
  • 27
  • You're essentially asking how to tell your client's anti-virus (including those built into the browser) that your exe isn't a virus. – gunr2171 May 15 '23 at 13:12
  • So it's not the browser alone... And how would we go about that? – Sven May 15 '23 at 13:13
  • +Do you know any (temporary) workaround maybe? – Sven May 15 '23 at 13:14
  • 1
    Buy a code signing certificate and sign your build – Charlieface May 15 '23 at 13:16
  • The best will be to certify your application, but it will take some time: https://learn.microsoft.com/en-us/windows/win32/win_cert/windows-certification-portal – D.Kastier May 15 '23 at 13:17
  • @D.Kastier What amount of time are we talking about here? – Sven May 15 '23 at 13:17
  • 1
    That I do not known... But I guess that it can take from a couple weeks to a month – D.Kastier May 15 '23 at 13:20
  • Here says it is faster: https://learn.microsoft.com/en-us/windows/apps/publish/publish-your-app/app-certification-process?pivots=store-installer-msix – D.Kastier May 15 '23 at 13:21
  • But to make sure: This will also remove the warnings on download? It seems to me that this is just for the installation process – Sven May 15 '23 at 13:22
  • 1
    You might want to hire an actual security expert. You're stepping into quite the rabbit hole here. – gunr2171 May 15 '23 at 13:25
  • The instant solution is to sign your exe and plugin with your own generated root and dev certificate and then send your customers the public certificate chain so they can add those to their trusted certificate store. Browsers will still be careful and show a warning but beyond that it might just work. Do note that by doing this you do put the security of the systems of your potential clients at risk. For example if you leak the private keys: https://arstechnica.com/information-technology/2023/05/leak-of-msi-uefi-signing-keys-stokes-concerns-of-doomsday-supply-chain-attack/ – rene May 15 '23 at 13:55

0 Answers0