I had a code-signing certificate for the last 3 years. When I signed my software with it, the signature did not cause any SmartScreen warnings when the software was downloaded from the Internet.
This certificate was expiring this month, so I renewed it with the same company for another 3 years. But now my signed software is blocked by Windows with a nasty security warning.
The issue it created is that now when I sign my software, the new certificate does not have any reputation with the Windows 10 SmartScreen, so when the software is downloaded and run, it shows this warning:
Windows protected your PC
Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
More info
I’ve been signing my software with it for over 2 weeks now. And the warning is still there.
I know it’s a slim chance, but is there a way to link this new certificate to the old one to preserve the old cert’s reputation with SmartScreen?
PS. This “cert renewal business” and the loss of reputation is costing me dearly in the number of installs of my software. Also, why do developers have to pay with the reputation loss for the cert renewals. (I rhetorical question.)
Suggestions
There’s really no definitive answer how Windows 10 SmartScreen works.
One suggestion is to wait while more people will install the software and don’t complain about it. This may take some time, depending on the install base.
Then there’s another option – to buy a more expensive Extended Validation Code Signing Certificate, which should provide immediate reputation with the SmartScreen. (Note that this option is available only for businesses, and individual developers will not be able to buy an EV cert.)
Lastly, there’s a third solution that was suggested to me:
Create a small installer package that does nothing else than download and run the real, up to date installer EXE/MSI from a webserver (let’s call it “secondary installer”) and runs it.
You can update the “secondary installer” as often as you want, but by all means avoid any changes (rebuilds) of the “primary installer”.
Why does this work?
- You need to code sign the primary installer only once. As long as the EXE remains as-is, it’s signature and reputation is valid even when the certificate itself expires (an expired certificate won’t let you sign new code, but already signed code remains valid).
- Smart Screen only checks your primary installer. It apparently does not care if that program downloads and runs other programs.
Of course, your primary installer (or, more exactly, it’s certificate) still needs to gain reputation, but after that, you’re set.
This may be a good hack to try. For sure, I see many commercial software vendors are using that technique.
Travel, Coding & Stuff 