How to Use Individual Code Signing Certificates to get rid of SmartScreen warnings

The problem

Windows SmartScreen has for a while been trying to keep malware at bay. One of the ways of doing that is putting up a big scary warning when you try to run anything they haven’t validated as safe:

You have to click “More info” then “Run anyway” to actually run it. Eventually an executable will gain enough installs for it to be deemed “safe”, but the first users to run your program will hit this hurdle. It’s not a huge problem if you have a lot of overall downloads but it can be troublesome for beta builds where releases are more frequent and the audience is smaller. Every time you release, you start all over again from zero trust.

The solution: Code signing

To solve this, you can digitally sign your executables, which allows you to benefit from the trust you earned from your other releases. That means if your certificate is trusted, any releases done with it are trusted. The downside is that code signing certificates are pricey. For a business, it’s not a huge issue to pay $500 a year to get a code signing certificate in the company’s name. But it’s a significant burden to open source developers who are just doing it in their spare time, giving software away for free.

But what about cheaper code signing?

I looked for alternatives. SignPath looked somewhat promising, but as far as I can tell it’s just some alternate software validation system and doesn’t inform SmartScreen decisions. Certum has a fairly cheap open source code signing cert, but requires special hardware, and I had heard horror stories about Certum support never getting back to you.

I eventually settled on the Comodo Individual Code Signing Certificate. $71 per year is something I can afford to just pay out of pocket.

How does it work?

Basically the system is: you buy the cert, you send them a selfie with your driver’s license to prove you are who you say you are, then they issue a certificate not to a company, but to you, personally. That means your real name must show up on the certificate! They will put your street address on the cert by default, but you can (and probably should) open a ticket on Sectigo support to leave off that part while the validation phase is happening. Your zip code has to be on the cert though.

After validation, they send you en email with instructions on how to pick up the cert from Firefox or IE 11. In my case I installed via IE11 and the certificate ended up in certmgr.msc under Personal/Certificates. The certificate name is your full name. You can right click -> export -> include private key -> .pfx format -> choose a password, and choose AES256-SHA256.

Now you’ve got your .pfx file. (Don’t check it into source control.) You can use signtool.exe (comes with Visual Studio or the Windows 10 SDK) to sign executables. I used a command like this:

signtool.exe sign /f d:\certs\YourCert.pfx /p myCoolPassword /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 MyRadApp-1.0.exe

The /p argument is the password you exported the .pfx with. /fd SHA256 tells it to use the recommended, more secure file digest algorithm. /tr gives it a server that can timestamp when the file was signed. That would come in handy if your certificate expires, then everything signed by it when it was valid will still be valid, since it knows when the signing took place. /td SHA256 tells it to use the recommended, more secure timestamp digest algorithm.

After running the command, your .exe should be updated with the signed version.

Success!

After a while, my new releases stopped triggering the “this software may kill you” warnings. The cert is now trusted by SmartScreen.

I was initially unsure if it would work and was worried that maybe only the more expensive or super-expensive “Enhanced Validation” certs would be necessary. But thankfully not!