I’m about to buy a certificate on Windows for code-signing plugin installers (and hopefully signing VST3 and wrapping AAX as well). KSoftware is the vendor I’m planning to use. Their guide here describes the differences between OV and EV certificates. I am currently leaning towards an OV Certificate because it has a lower price and no need for a USB dongle
However, I want to ensure no customers are prevented from running the installer by Windows Defender, nor see any warnings when they run the installer. As far as I can tell, the OV Certificate does not guarantee this and there is some amount of time where your certificate lacks the ‘SmartScreen Reputation’ needed to provide a seamless installation experience.
I wonder then, how much time and effort is needed to gain the needed SmartScreen reputation for customers to not see any warnings when installing? I’m planning to distribute the installer to a few QA testers and personally downloading and installing the software on my own machines - would this make some progress towards getting the needed reputation?
If much time and effort is needed to get the reputation, it might be more worthwhile for me to just go with the EV certificate and get the instant SmartScreen reputation and not have to spend any further working on this.
OK, thanks for your response! During that year, did the certificate get a lot of use (customers/testers downloading) and did you try any other tricks to gain reputation?
For example, I heard people downloading the installer from a company website, then running it, generates more reputation than if its downloaded from Drive or Dropbox
My experience: buying an OV certficate was a complete waste of money and time, it did not stop the warnings for installers on Windows. Waiting for this vague “publisher reputation” stuff will only harm your actual reputation. You really need an EV certficate if you want to avoid the SmartScreen blocker/warning from the onset. Be aware that it is delivered on a physical USB stick, which is also needed for signing.
Be careful when performing the certificate request step. First year everything was just fine, second year I used a wrong version of Firefox and couldn’t retrieve the certificates once they were created by sectigo.
Usually you would just create another certificate request at sectigo, but that’s something ksoftware would have to do. I wrote several mails to them, even called a couple of times, no answer, so money gone and no certificate. I stumbled across this too late: K Software Reviews | Read Customer Service Reviews of ksoftware.net
Now using EV certificates directly ordered from sectigo. No problems so far
