Menu
I developed a free personal finance application. It is a hobby for me. I have it on my website for download. http://moneyble.com/download/
I frequently (once a month or so) release a new version. So the file's hash changes.
When the file is downloaded from my website the browser displays a warning that the file is not commonly downloaded and can be dangerous. Also on Windows 8 machines SmartScreen warning pops up.
Both these warnings are killing any new users who try to download my software.
I read some articles about Code Signing and realized that I have to buy a Code Signing Certificate. It sounds stupid to pay Microsoft for the right to release my own software. Like they own the Internet. But anyway... they set the rules.
Question:
Should I spend $500 on EV Code Signing Certificate?
or
Can I buy a much cheaper ($100-$200) Microsoft Authenticode Certificate and still get rid of both warnings (Download and SuckScreen)?
My exe-s currently have no reputation with MS. I update exe-s frequently. User-base is slowly growing from 0.
Anybody has real-life similar experience?
Still don't know though how to sign a zip package. I provide a portable install of my program as well. If you download portable zip package on Google Chrome - it displays a nasty message "Moneyble.zip is not commonly downloaded and could be dangerous". Exe within that package is signed. But it does not help. IE does not have this problem. It's only Google Chrome's issue.
IF anyone has suggestions on how to distribute portable installations - I would really appreciate it.
If you want to check warnings download one of the installers from: http://moneyble.com/download/
999
Regular Code Signing – both gives secure environment to developers for their software codes. EV code signing keeps the private key secret using hardware token whereas in Regular code signing the private key is not provided in a separate external drive.
Authenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies that the software has not been tampered with since it was signed and published. Authenticode uses cryptographic techniques to verify publisher identity and code integrity.
Go to Partner Center and sign in using with administrator credentials. Select the gear icon in the upper right, then select Developer settings, then Manage Certificates on the left pane. Select Add a new certificate, then select Next.
I've just written up a couple of blog posts on this very topic. The following three screenshots are illustrative of the progression from unsigned through standard Authenticode certificate to EV Authenticode certificate:
No digital signature 
Signed with standard Authenticode certificate from DigiCert 
Signed with EV Authenticode certificate from DigiCert 
So unless you can amass whatever critical volume of users Microsoft deems to mean that your program is commonly downloaded, an EV certificate is the fastest way to remove the SmartScreen warnings for all users. For what it's worth, the DigiCert hardware token was very easy to use through the Windows Certificate Manager, but the $450 it cost us is admittedly quite expensive, especially for a hobby.
158
Certification authorities only issue an Extended Validation certificates to developer on condition that the request is on behalf of a recognised organisation for whom the developer is providing a paid service to.
Developers may apply for non-EV code signing certificates for their own use.
To learn more, try this link:
https://cabforum.org/audit-criteria/
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
