Suggestion to avoid Windows Smart Screen warning

[chybeat]

I readed the Docs, this is only a sugestion

My Windows version is 10 21H1 1v9043.1766 I search the web for Markdown viewer, a lot of times in a lot of sites. This work as I espect but the samartscreen...

So, you try InnoSetup? https://jrsoftware.org/ Source code https://github.com/jrsoftware/issrc

The problem with SmartScreen is the unknown publisher, and with innosetup you can set a publiser like your installers has your name. But may be can help, I dont know, im not expert on installers. Is just a suggestion.

Thread closed by author (ChyBeat), beacuse is just a suggestion and i don't know where can I write one.

Thanks for program, is goooood for that I needs! :)

[c3er]

Thanks for the suggestion!

But:

1. InnoSetup must be integrated into my toolchain. I use currently electron-builder to build packages for all Windows Linux and MacOS. And to my knowledge, InnoSetup is not supported as an option for Windows setups.
2. The setup already contains my name and even a digital signature (see right-click, "Properties" on the setup file). The problem with this signature is, that it is only self-signed, i.e. with my "homegrown" signature. To get a proper one, which would be (potentially) accepted by Microsoft (i.e. SmartScreen), I'd have to pay money to some signature authority, which I don't want for that hobby project.

So, I think as long as Microsoft doesn't accept my self-signed setup or there is some way to get a proper signature without paying money (like a Let's Encrypt for setup/exe files), SmartScreen will always scare off potential users.

Thanks for program, is goooood for that I needs! :)

Glad to know🙂 You're welcome!

[jordanbtucker]

I recommend looking into sigstore.dev. It's been described as Let’s Encrypt for Code Signing.

[c3er]

@jordanbtucker Thanks for this suggestion! I'll take a deeper look at the next release and give feedback how it works.

[c3er]

@jordanbtucker I took a short look at sigstore.dev but it appears that they don't offer additional trust from Microsoft yet. See this issue comment in the sigstore/fulcio repository.

This is clearly a problem. So I filed two issues, one for Windows (Microsoft) and one for macOS (Apple):

• #27 Make the application trustworthy for Microsoft
• #28 Make the application trustworthy for Apple

I will keep an eye on this problem. But please let me know, if you (or anyone) have an additional suggestion or something new appears that could solve this problem.

[jordanbtucker]

That's a shame. I'll keep an eye out for any other free or low-cost solutions.

[c3er]

While this issue could be seen as duplicate of #27 and #28, I reopen this issue anyway until it is solved.

To anyone: feel free to provide additional suggestions.

[ChxGuillaume]

Hi @c3er, I too am trying to publish software using electron-builder and have issues with Code Signing (as it is my first FOSS I am currently learning about everything regarding publishing applications to all those platforms)

By exploring a lot of GitHub Issues/Discussions, I stumbled upon this https://about.signpath.io/, they're giving Code Signing services for OSS projects.

I emailed them recently to get more information regarding those services, you could probably give it a try too. I don't know much yet about what they propose 😄

[c3er]

Thanks for the suggestion, @ChxGuillaume!

So far, this looks good. Please let me know, what they responded. I will also take a closer look in the future. Right now, I don't have much time and energy for this project.

After a first glance, my understanding is, that they actually support OSS projects with a valid certificate after applying via e-mail. Usually, you have to pay an authority a yearly fee to get a certificate and this can be complicated in itself. I don't know currently, how much this fee costs.

[c3er]

Update: while I could still try to get a certificate from SignPath, it doesn't look too promising according to my current understanding. According to this issue comment in the sigstore-fulcio repository, one could get only an "EV" certificate that still causes SmartScreen to warn until the tool is downloaded and installed often enough.

It seems that @microsoft doesn't want that hobbyists publish software for Windows😔 There seems to be no way for a private person to convince the Windows security mechanisms that the tool is not malicious.

[ChxGuillaume]

Yea sadly only EV certificates skip the smart screen immediately, those certificates are only given to companies too not to individual.

The only advantage of signing with an OV certificate like SignPath is that, if you gain enough reputation, your next and current builds that used your certificate should not bother users with Microsoft's smart screen. But yea initially you have to build trust even with OV certificates.

Talking about reputation, I got feedback from SignPath, to deliver a certificate they require your project to have some reputation in the OSS community, so people contributing to it, your software being referenced into articles and so on.

Regarding my project, I'll probably buy an OV certificate for OSS project by Certum purely to experiment with code signing on windows but yea. Sadly, Microsoft doesn't want to provide hobbyists projects options, I hope that'll change in the future.