AnthonyWharton
commented
4 years ago Both of these issues are likely related to Windows Defender SmartScreen.
Windows requires software to be signed by an approved EV Code Signing certificate in order to immediately bypass SmartScreen. These certificates are provided by one of Microsoft's approved third party authorities, meaning that the certificate that we sign our software with has in turn been signed by one of the Authorities root certificates. These root certificates are automatically trusted by Windows (you can view all system certificates in the Microsoft Mangement Console by typing "Manage computer certificates" into the start menu search).
UH VPN is currently signed by our own signing certificate which was generated when we started UH VPN Windows, and that signing certificate has been signed by our API's Root CA which we generated when we started UH VPN. We have not yet opted to get a signing certificate with a third party vendor as these certificates run in the region of ~$700 per year from a trusted authority such as DigiCert. We will likely eventually shell out to buy such a certificate, but as of now this is seen as an unecessary (and potentially overinflated - but that's a completely separate debate) cost.
If you were to import the UH VPN public Root certificate onto your system, this warning would not come up and it would show the publisher as Ultra Horizon, however it is many would argue it is not considered to be the best practise to do this - not that we ever intend on distributing malware, but blindly trusting any third party certificate should raise alarm bells. Likewise, if/when we start signing with an approved EV Code Signing certificate, Windows would see the software has been signed by a certificate issued by one of it's root authorities and show Ultra Horizon as the (implicitly trusted) publisher.
For the time being we offer fairly comprehensive documentation on checking the integrity and signing thumbprint of our installers here: https://docs.uh-vpn.com/en/latest/clients/windows/installation.html, for those that wish to verify their installers are indeed from us.
I updated the Windows 10 laptop installation today using uh-vpn-installer_1.0.3.msi and observed two areas of potential improvement.
(1) The package came across as "Unknown Publisher". It will be nice to see UH being recognised as a named publisher and
(2) Windows 10 spent almost 30 seconds before allowing the installation to continue and came up with the Yellow Box warning before proceeding.
First I thought it was because the UH was already running so I shut down UH manually. It appears the delay is not because of Microsoft not trusting the installer. Alex and James can surely find out how the installer could be made more trusted.
By the way - I checked the installer on Virustotal and it was perfectly clean.