Just wanted to find out what everyone is doing with code signing on windows. I remember a topic a little while ago where some people weren’t bothering whilst others decided basic certificates were enough.
It seems to me that windows defender/edge browser have become far more picky about what they like people to download. Recently users with defender as their av have reported that it warns of a trojan whenever they try to download our stuff. I sent the files off to windows for scanning and they basically said “yeah, your files are fine but we don’t trust the certificate yet because you haven’t used it enough”. Seems astonishing that something “untrustworthy” is immediately labeled as a trojan… The issues thankfully go away when people use chrome combined with other av software.
tl;dr are small developers bothering with the extra expense and hassle of EV code signing certificates or is it just accepted that these types of messages pop up on windows occasionally (here we are Mac users for years so don’t know the current expectations)?
Thanks for any opinions/thoughts you can provide,
David
In my experience this isn’t really the type of thing that users will reach out about.
If a user won’t take the time to install the plug-ins manually, they almost certainly will not take the time to send you feedback. Waiting for complaints is not always the best strategy!
We use EV certs, and used OV certs in the past. Before we started using them, we received quite a few user reports about the SmartScreen messages. The Windows certificate industry feels like kind of a racket, but it’s a necessary game to play at the moment if you want to maximize conversion rates.
My response was attempting to be brief. To elaborate, we have also not had any pop-up messages in all our testing and Beta users, etc.
Of course, now, in the Mac world, its a whole new ball-game with signing, notarizing, etc. And, in the Windows world, to stay ahead of the curve, we will be signing all plugins going forward.
Yup, no choice but have them hold your business hostage until they send you an EV cert on a usb key…
Does anyone here have experience with cloud EV certs, and could recommend a provider? The usb key makes it a PITA for setting up build pipelines since they need to be built locally, but worse, they popup a window with a native message box for the password so I don’t even know how to script this properly.
We’ve managed a full pipeline with github actions on mac but PC I’m still running things manually.
I’m also using an OV cert from Sectigo. Every 5 years when the certificate expires, there is a short period where smartscreen complains. We put a warning on our website about smartscreen being stupid and wrong, and just wait until our smartscreen reputation improves. It makes me angry every time, but I’m not sure I want to deal with another hardware token (the ilok requirement for aax plugins is already annoying enough).
I’m also using SafeNet and found out you can stop the Authentication Client asking for the token’s password (except for the first time it’s used). Not ideal but still an improvement as long as you don’t logoff.
