32

First and foremost, this is my very first experience with Code Signing.

I bought Standard Code Signing from Certum for 3 years.

I intend to publish applications in Czech republic mostly.

But to the point, on Windows 10, when I download the signed executable, I get bumped by Smart-Screen filter which blocks the application.

I don't know what to think. I used SHA256 and a time stamp. I signed it on Windows 8.1 fully updated.

Here is a code snippet I used to sign the EXE file:

SignTool sign /fd SHA256 /a /tr http://time.certum.pl "Barvy.exe"

Did I do something wrong?

Here is a picture detail of the signature of the EXE file:

digital signature

LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32

2 Answers2

29

Applications that are signed with a standard code signing certificates need to have a positive reputation in order to pass the Smart Screen filter. Microsoft establishes the reputation of an executable based upon the number of installations world wide of the same application. Since you haven't published your application as yet (and therefore the reputation hasn't been established as yet), the Smart Screen will continue to flag the application.

There are two solutions: either wait till the application has a large user base and its reputation will be adjusted by the Smart Screen. However, the current working status might prevent users from installing and trusting the application. The second option is to sign it with an EV (Extended Validation) code signing certificate. Applications signed with an EV certificate establishes its reputation right away. To quote Microsoft:

Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher.

You can find further details at Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates blogpost.

void_in
  • 5,541
  • 1
  • 20
  • 28
  • 26
    extortion scheme! – tofutim Mar 22 '18 at 11:39
  • 13
    Thanks for the info. So having just bought $100 dollars worth of trust from Comodo, I now find I need to buy an additional $250 dollars worth of trust? Extortion is right. – SmacL Dec 11 '18 at 09:35
  • 6
    @void_in `Microsoft establishes the reputation of an executable based upon the number of installations world wide of the same application`: when not using EV-code-signing, does someone have an *estimation of the number of installations required to get whitelisted by SmartScreen*? – Basj Mar 20 '19 at 13:37
  • 1
    I'm not sure if it mentions anywhere that a sole-proprietor, i.e. single person developer, i.e. freelancer will not be able to buy an Extended Validation (EV) cert. They sell it only to companies/organizations, or LLCs. – c00000fd Sep 20 '19 at 23:46
  • 3
    @Basj Wonder if `the same application` also means the same version, or if the reputation counter will reset every time you release an updated installer :-/ – Gertsen Feb 20 '20 at 13:04
  • 2
    I have the same question @Gertsen, it would be a shame if the counter resets to 0, but it's probably the case :/ – Basj Feb 20 '20 at 13:41
  • 2
    @Basj sadly I suspect that's true. We've been deploying our application for years now, thousands of installs, and it's still blocked by SmartScreen. And we release new versions every month, which is why I fear it resets every time :-( – Gertsen Feb 20 '20 at 14:23
  • Really @Gertsen, still blocked after thousands of installs? What kind of certificate do you have? EV or non-EV, which provider? PS: do your customers contact you about the SmartScreen problem or they just don't care about this? – Basj Feb 20 '20 at 14:34
  • @Basj It's a GlobalSign Code Signing Standard, SHA256 G3 via SafeNet USB tokens (Non-EV). We've had to put a guide on how to handle SmartScreen on our download-page, but it still causes problems from time to time :-( – Gertsen Feb 21 '20 at 07:12
  • 1
    if you submit your program for microsoft logo certifcation for each new build, the reputation should carry over. – pcalkins May 27 '20 at 22:07
  • 2
    (1) The counter resets to zero with every patch you upload; (2) This seems to me to be extortion and also designed to punish smaller developers who have normal certificates, since EV certs are very expensive; (3) My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales. Somewhere in this morass there has to be an intelligent attorney who might be ready to take on a class action. – John Tamburo Jun 14 '20 at 21:41
  • @JohnTamburo This is really a big problem. Have you found a solution in the meantime? – Basj Sep 08 '20 at 08:59
  • I wonder whether Microsoft's collection of the number of installations is vulnerable to spoofing or automation and whether it is GDPR compliant. – Enos D'Andrea Sep 12 '20 at 07:25
  • This helps mammoth corporations (for which $5000 for a 5-year EV is like 1 penny) & hurts small/independent developers. And you know what? In most cases those small developers build better software. Haven't you got tired by the 500MB-1GB software bloatware that comes with each f*ck*ng printer/laptop/main-board? My audio-driver is 600MB, for a stupid GUI that shows me how the music would sound if I am in a bathroom or cave... WTF? Did they really lost the ability to hire decent programmers. Do we really have to punish independent dev with such a fee for their (free in most cases) good software? – Gravity Sep 30 '20 at 09:08
  • I am running into this as well. My app is built for a niche industry so there are only couple hundred installs maybe. I purchased a security certificate but it does absolutely no good since the smart screen filter still blocks everything, even though I have been publishing my app with this certificate for a year now probably. I push updated once a month so if a new update really resets my reputation, I don't know why I even bother with certificates at all.. – lucky.expert Dec 24 '20 at 18:59
  • I also just fell into that trap. Bought an indiviual certificate, set up the sign process for each new build I am providing for my users, and now I find the certificate does not disable the smart screen warning - it even does not mention the application is signed at all. 130$ out of the window. – Anse Jan 06 '21 at 21:07
  • https://news.ycombinator.com/item?id=23392404 – Gravity Jun 03 '21 at 08:18
8

If you have a standard code signing certificate, some time will be needed for your application to build trust. Microsoft affirms that an Extended Validation (EV) Code Signing Certificate allows to skip this period of trust building. According to Microsoft, extended validation certificates allow the developer to immediately establish reputation with SmartScreen. Otherwise, for some time, until your application builds trust, the users will see a warning like "Windows Defender Smartscreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", with the two buttons: "Run anyway" and "Don't run".

Another Microsoft resource states the following (quote): "Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals."

My experience is the following. We have used regular (non-EV) code signing certificates for signing .MSI, .EXE and .DLL files since 2005, with timestamping, and never had problems with SmartScreen, until 2018, when there were just one case when it took 3 days for a beta version of our application to build trust since we have released it to beta testers, and it was in the middle of certificate validity period. I have no idea what the SmartScreen might not have liked in that particular version of our application, but there were no complaints since then. Therefore, if your certificate is a non-EV, it is a signed application (such as an .MSI file) that will build trust over time, not a certificate. As in our case, a certificate can be issued a few months ago and used to sign many files, but for each signed file you are publishing, it may take several days for SmartScreen to stop complaining about the file after it is published.

Maxim Masiutin
  • 182
  • 1
  • 7
  • 4
    They don't mention that EV certificate uses a hardware key, and cannot be used on with cloud build infrastructure :( – MarcusUA May 29 '19 at 15:47
  • 2
    @MarcusUA Exactly - Not being able to sign in DevOps or similar non-local deployment pipeline is extremely annoying. I suspect it might be possible if the certificate is stored in Azure Key Vault, but you can't reuse your local certificate for that, it requires a separate certificate for this, effectively doubling the price of an already very expensive certificate. – Gertsen Feb 20 '20 at 13:02
  • 1
    @MarcusUA Do all EV certificates require a hardware key? – Basj Sep 08 '20 at 09:02
  • @MarcusUA when I wrote this answer (in 2018), all EV certificates require a hardware key, but I did not research this topic since then. At least I did not hear the contrary since that. – Maxim Masiutin Sep 09 '20 at 10:33
  • 1
    @Basj yes, that's the thing – MarcusUA Sep 12 '20 at 21:34
  • 1
    It seems there is another way to get certified without buying an expensive EV by (quite) "distributing your apps through the Windows Store". See: https://docs.microsoft.com/en-us/archive/blogs/ie/microsoft-smartscreen-extended-validation-ev-code-signing-certificates I hope getting into the WinStore is not more expensive than the EV :) – Gravity Sep 30 '20 at 09:18