Which Windows EV code signing?

We are currently looking into EV code signing on Windows. Because several customers said that Windows flags our installers as unsafe.

I saw that there are quite a few companies which offer EV certificates. For example:
DigiCert,
Sectigo
GlobalSign,
Entrust,
Certum,
SSL
(And probably others)

I am a bit confused at the moment, which of those I should choose?
Which certification company are you using for your EV certificates?

We’re using SSL.com .

They deliver their certificate on a YubiKey dongle though, which might be problematic for automated build chains. There are workarounds to facilitate automated build chains with YubiKey, but the regular old signtool will want a PIN entry on every signature with this. There is a 3rd party option (ScSignTool), which can handle the PIN for regular signatures, but I have yet to find a way for pace wraptool, to work with the pin… Right now I have all signatures automated with the exception of aax. So on every installer build I have to enter the pin once for aax…

Unfortunately it seems these days providers only distribute the EV certificates on dongles and only give you cert files for OV certificates, which have the advantage of working easily with signtool and pace wrapper, but don’t satisfy Windows Smart Screen off the bat (it will need a few startups on different machines until Microsoft knows you and deems you safe). I haven’t yet found a way to just disable the PIN on the YubiKey either…

Also check out this thread a few entries further down :slight_smile: