Hey all,
I’m wondering what your experience and wisdom is relating to code signing on Windows. I really don’t have a good sense of whether it’s “worth it” or not. I’ve spent the past couple of days setting up automated code signing and notarization for macOS builds, which was pretty straightforward and inexpensive. Now trying to decide if I should spend time and money code signing Windows.
My experience is it’s only worth going for the extended validation option. It’s the much more expensive option. It fast tracks you to a verified trusted status. The standard option supposedly requires a certain number of installs before it becomes trusted. I had 1000’s of installs over a span of a year and this wasn’t enough, so the installer would still scare users with the yellow warning box. Ymmv.
As a user i would say everything is more trustworthy than a warning pop-up with a „unidentified developer“.
So I would go for the normal validation of you can’t afford the extended validation.
Also my experience, the “standard option” simply does not work in practice and your installers will be “blocked” (not completely, but the user experience is very bad).
Go directly for the extended EV certificate, even with its price tag.
The standard certificate option is a complete waste of money.
I paid $ 319 for a Comodo EV certficate at codesigningstore.com. You may need to provide proof of your identity, like with phone calls to you from the States.
Be aware that these certficates are delivered with a hardware key, which can be a bit tricky with CI/CD, as you have to type in a password for the signing (there are ways to have this done automatically).
I’ve never had a complaint on Windows - people seem alot more fussed about this stuff on Mac, no-one seems to care on Windows.
