I’m about to buy a certificate on Windows for code-signing plugin installers (and hopefully signing VST3 and wrapping AAX as well). KSoftware is the vendor I’m planning to use. Their guide here describes the differences between OV and EV certificates. I am currently leaning towards an OV Certificate because it has a lower price and no need for a USB dongle
However, I want to ensure no customers are prevented from running the installer by Windows Defender, nor see any warnings when they run the installer. As far as I can tell, the OV Certificate does not guarantee this and there is some amount of time where your certificate lacks the ‘SmartScreen Reputation’ needed to provide a seamless installation experience.
I wonder then, how much time and effort is needed to gain the needed SmartScreen reputation for customers to not see any warnings when installing? I’m planning to distribute the installer to a few QA testers and personally downloading and installing the software on my own machines - would this make some progress towards getting the needed reputation?
If much time and effort is needed to get the reputation, it might be more worthwhile for me to just go with the EV certificate and get the instant SmartScreen reputation and not have to spend any further working on this.
I’ve heard mixed things, from weeks to months. Personally I had about a year and it still didn’t stop warning people. Caved and paid for EV.
OK, thanks for your response! During that year, did the certificate get a lot of use (customers/testers downloading) and did you try any other tricks to gain reputation?
For example, I heard people downloading the installer from a company website, then running it, generates more reputation than if its downloaded from Drive or Dropbox
Didn’t try any tricks, there was probably around 2000 installs (guestimate). My conclusion was EV is the easiest option. YMMV!
My experience: buying an OV certficate was a complete waste of money and time, it did not stop the warnings for installers on Windows. Waiting for this vague “publisher reputation” stuff will only harm your actual reputation. You really need an EV certficate if you want to avoid the SmartScreen blocker/warning from the onset. Be aware that it is delivered on a physical USB stick, which is also needed for signing.
Some vendors will allow you to deploy the cert to a cloud HSM (for example Azure), I wrote a tutorial here.
Be careful when performing the certificate request step. First year everything was just fine, second year I used a wrong version of Firefox and couldn’t retrieve the certificates once they were created by sectigo.
Usually you would just create another certificate request at sectigo, but that’s something ksoftware would have to do. I wrote several mails to them, even called a couple of times, no answer, so money gone and no certificate. I stumbled across this too late: K Software Reviews | Read Customer Service Reviews of ksoftware.net
Now using EV certificates directly ordered from sectigo. No problems so far
Do you think Sectigo EV Certificate might work with a cloud HSM? I saw you used GlobalSign in your tutorial.
Thanks for the heads up on ksoftware! Now I’m going to go with Sectigo or GlobalSign
I also just bought an OV certificate on ssl2buy (comodo one) It went very smooth. Indeed, smartscreen still gives the alert but at least I don’t have the unknown publisher anymore. The EV was way too expensive, what a scam
Off course if I ever make real money of of it i might get one…