Who is bothering with EV code signing on Windows?

Hi All,

Just wanted to find out what everyone is doing with code signing on windows. I remember a topic a little while ago where some people weren’t bothering whilst others decided basic certificates were enough.

It seems to me that windows defender/edge browser have become far more picky about what they like people to download. Recently users with defender as their av have reported that it warns of a trojan whenever they try to download our stuff. I sent the files off to windows for scanning and they basically said “yeah, your files are fine but we don’t trust the certificate yet because you haven’t used it enough”. Seems astonishing that something “untrustworthy” is immediately labeled as a trojan… The issues thankfully go away when people use chrome combined with other av software.

tl;dr are small developers bothering with the extra expense and hassle of EV code signing certificates or is it just accepted that these types of messages pop up on windows occasionally (here we are Mac users for years so don’t know the current expectations)?

Thanks for any opinions/thoughts you can provide,
David

On Windows I use the basic PACE signing only for AAX format.

Starting this year, I may sign everything, however.

Interesting, do you have much issue with users saying that defender/smartscreen labels installers as unsafe? Or do you not bother with installers?

No, I do not use installers. Users just drag the plugin to the desired folder. And, no complaints.

We use EV code signing for our installers and the cloud app to avoid OS pop ups.

In my experience this isn’t really the type of thing that users will reach out about.

If a user won’t take the time to install the plug-ins manually, they almost certainly will not take the time to send you feedback. Waiting for complaints is not always the best strategy!

We use EV certs, and used OV certs in the past. Before we started using them, we received quite a few user reports about the SmartScreen messages. The Windows certificate industry feels like kind of a racket, but it’s a necessary game to play at the moment if you want to maximize conversion rates.

Point taken.

My response was attempting to be brief. To elaborate, we have also not had any pop-up messages in all our testing and Beta users, etc.

Of course, now, in the Mac world, its a whole new ball-game with signing, notarizing, etc. And, in the Windows world, to stay ahead of the curve, we will be signing all plugins going forward.

What is the cloud app?

Our own downloader that also installs plugins and their content (expansions for Nexus).