Code Signing with a Certum certificate

Question

I want to sign a static .exe build of one of my Open Source programs so that it will be executable in a "normal" manner to a "normal" Windows user.

I bought an Open Source Code Signing Certificate from certum.eu to be able to do this.

After some searching on the internet, I tried to sign the exe file using osslsigncode 1.7.1 on my Linux maching using

osslsigncode sign -pkcs12 cert.p12 -pass "..." -h sha2 -t http://timestamp.verisign.com/scripts/timstamp.dll -in some.exe -out some-signed.exe

Having somebody testing it on Windows 10, a rough warning pops up: "Windows protected your PC. Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk."

So I tried to use the native Windows tool signtool.exe to sign it. I installed it in my old virtual Windows XP (where I also compiled the program; I don't have access to any other Windows machine) and signed the exe file with

"C:\Programme\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /f C:\cert.p12 /p "..." /t http://timestamp.verisign.com/scripts/timstamp.dll C:\some.exe

This tool also said everything was okay, but still, the very same warning pops up.

This way, the certificate is simply useless, as the "signed" exe file does produce the very same warning as the unsigned one. I would greatly appreciate help about this.

Answer 1

Short answer: Wait a couple of days and the problem will disappear.

I had the same issue with my Certum certificate earlier this year. And a few years ago, I had a commercial certificate I got from Comodo and it initially had the same issue as well.

The bottom line is that your new certificate and signed binaries needs some time to gain trust and auto-verified by Microsoft's code-signing reputation service.

Start distributing your signed exe to as many PC as you can and do the "advanced" option to force the exe to run anyway. That might help bump the reputation up faster.