Hey everyone,
I’m looking into code signing for my JUCE plugin on Windows, and the situation seems to be getting trickier. I’ve seen Azure Trusted Signing recommended a few times here on the forum, but it’s now only available in the US and Canada for new consumers (https://techcommunity.microsoft.com/blog/microsoft-security-blog/trusted-signing-public-preview-update/4399713).
From what I gather:
It’s getting harder to avoid SmartScreen warnings with just an OV certificate.
EV seems to offer instant trust, but it’s more expensive and involves extra steps or hardware.
There’s also the option of cloud-based signing vs using a local USB token/private key.
A few questions:
Should I go for an EV or OV certificate as a small indie dev?
Is there a significant difference between cloud-based signing and using a local/private key?
Are there any reputable certificate authorities people here recommend?
And finally — is there any practical difference between signing the .exe installer versus signing the .vst3 plugin directly ?
Would love to hear your thoughts or recent experiences.
Thanks!
wow, what an awful step by Microsoft, I guess it was too much of a hassle dealing with the rest of the world, although the wording
does leave room for interpretation that once the preview period is finished they’ll open it up again.
Fingers crossed! 
This is difficult thing really, the price for OV certs has gone up significantly, to the degree that the difference to EV didn’t seem that bad when I was looking at it before I managed to get into the ATS preview program. OV certs will trigger the SmartScreen nonsense until you manage to build trust, and every time you renew the trust is reset iirc.
Price. The cloud based signing seemed excessively expensive and limitied.
I’ve never signed the plugins themselves, but I did read that signing the plugins can help alleviate false positives for anti-virus. If you don’t sign the installer though you’ll get the yellow “untrusted” warning when the installer attempts to raise its admin rights.
Thanks for the reply.
It sounds like Microsoft does plan to make Azure Trusted Signing available more widely (they talk about global availability) after the preview phase, but there’s no clear timeline yet.
Quick follow-up. Do you or anyone else have any certificate providers you’d recommend, or ones to avoid?
Thanks again.
I am in The Netherlands and I am paying monthly for this MS EV signing service.
A guick glance at the MS text: it seems to be about NEW customers for this service.
Yes Peter, it’s about new customers only, that’s what the link in my first post was referring to. Sorry for not phrasing it more clearly.
1 Like
You’ll also have issues with the Microsoft Azure solution as long as you don’t have 3 years of company history. I wrote up an article on using your own cloud key store as an alternative, using AWS KMS, but others have written about using Azure KeyVault etc: Signing Windows binaries using AWS KMS
This approach is a tad trickier than using hardware dongles, BUT you can sign stuff in CI pipelines which for us far outweigh the drawbacks. Once set up, it’s super easy to use too, and very cheap. Literally only have to pay for an EV cert (would always recommend EV certs, hard to avoid the SmartScreen warnings without).
