{"id":159,"date":"2021-05-25T06:10:15","date_gmt":"2021-05-25T06:10:15","guid":{"rendered":"https:\/\/engy.us\/blog\/?p=159"},"modified":"2021-05-25T06:10:15","modified_gmt":"2021-05-25T06:10:15","slug":"how-to-use-individual-code-signing-certificates-to-get-rid-of-smartscreen-warnings","status":"publish","type":"post","link":"https:\/\/engy.us\/blog\/2021\/05\/25\/how-to-use-individual-code-signing-certificates-to-get-rid-of-smartscreen-warnings\/","title":{"rendered":"How to Use Individual Code Signing Certificates to get rid of SmartScreen warnings"},"content":{"rendered":"\n

The problem<\/h2>\n\n\n\n

Windows SmartScreen has for a while been trying to keep malware at bay. One of the ways of doing that is putting up a big scary warning when you try to run anything they haven’t validated as safe:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

You have to click “More info” then “Run anyway” to actually run it. Eventually an executable will gain enough installs for it to be deemed “safe”, but the first users to run your program will hit this hurdle. It’s not a huge problem if you have a lot of overall downloads but it can be troublesome for beta builds where releases are more frequent and the audience is smaller. Every time you release, you start all over again from zero trust.<\/p>\n\n\n\n

The solution: Code signing<\/h2>\n\n\n\n

To solve this, you can digitally sign your executables, which allows you to benefit from the trust you earned from your other releases. That means if your certificate is trusted, any releases done with it are trusted. The downside is that code signing certificates are pricey. For a business, it’s not a huge issue to pay $500 a year to get a code signing certificate in the company’s name. But it’s a significant burden to open source developers who are just doing it in their spare time, giving software away for free.<\/p>\n\n\n\n

But what about cheaper code signing?<\/h2>\n\n\n\n

I looked for alternatives. SignPath<\/a> looked somewhat promising, but as far as I can tell it’s just some alternate software validation system and doesn’t inform SmartScreen decisions. Certum has a fairly cheap open source code signing cert<\/a>, but requires special hardware, and I had heard horror stories about Certum support never getting back to you.<\/p>\n\n\n\n

I eventually settled on the Comodo Individual Code Signing Certificate<\/a>. $71 per year is something I can afford to just pay out of pocket.<\/p>\n\n\n\n

How does it work?<\/h2>\n\n\n\n

Basically the system is: you buy the cert, you send them a selfie with your driver’s license to prove you are who you say you are, then they issue a certificate not to a company, but to you, personally. That means your real name must show up on the certificate! They will put your street address on the cert by default, but you can (and probably should) open a ticket on Sectigo support to leave off that part while the validation phase is happening. Your zip code has to be on the cert though.<\/p>\n\n\n\n

After validation, they send you en email with instructions on how to pick up the cert from Firefox or IE 11. In my case I installed via IE11 and the certificate ended up in certmgr.msc<\/code> under Personal\/Certificates<\/code>. The certificate name is your full name. You can right click -> export -> include private key -> .pfx format -> choose a password, and choose AES256-SHA256.<\/p>\n\n\n\n

Now you’ve got your .pfx file. (Don’t check it into source control.) You can use signtool.exe<\/a> (comes with Visual Studio or the Windows 10 SDK) to sign executables. I used a command like this:<\/p>\n\n\n\n

signtool.exe sign \/f d:\\certs\\YourCert.pfx \/p myCoolPassword \/fd SHA256 \/tr http:\/\/timestamp.digicert.com \/td SHA256 MyRadApp-1.0.exe<\/code><\/pre>\n\n\n\n
The \/p<\/code> argument is the password you exported the .pfx with. \/fd SHA256<\/code> tells it to use the recommended, more secure file digest algorithm. \/tr<\/code> gives it a server that can timestamp when the file was signed. That would come in handy if your certificate expires, then everything signed by it when it was valid will still be valid, since it knows when the signing took place.  \/td SHA256<\/code> tells it to use the recommended, more secure timestamp digest algorithm.<\/p>\n\n\n\n
After running the command, your .exe should be updated with the signed version.<\/p>\n\n\n\n
Success!<\/h2>\n\n\n\n
After a while, my new releases stopped triggering the “this software may kill you” warnings. The cert is now trusted by SmartScreen.<\/p>\n\n\n\n
I was initially unsure if it would work and was worried that maybe only the more expensive or super-expensive “Enhanced Validation” certs would be necessary. But thankfully not!<\/p>\n","protected":false},"excerpt":{"rendered":"
The problem Windows SmartScreen has for a while been trying to keep malware at bay. One of the ways of doing that is putting up a big scary warning when you try to run anything they haven’t validated as safe: You have to click “More info” then “Run anyway” to actually run it. Eventually an … <\/p>\n
Continue reading “How to Use Individual Code Signing Certificates to get rid of SmartScreen warnings”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[1],"tags":[],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pahBcK-2z","jetpack-related-posts":[{"id":33,"url":"https:\/\/engy.us\/blog\/2010\/03\/31\/using-the-dispatcher-with-mvvm\/","url_meta":{"origin":159,"position":0},"title":"Using the Dispatcher with MVVM","date":"March 31, 2010","format":false,"excerpt":"When writing an MVVM application, you want to separate from the UI. However you also need to make sure that UI updates happen on the UI thread. Changes made through INotifyPropertyChanged get automatically marshaled to the UI thread, so in most cases you\u2019ll be fine. However, when using INotifyCollectionChanged (such\u2026","rel":"","context":"With 12 comments","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":146,"url":"https:\/\/engy.us\/blog\/2021\/02\/28\/installing-net-5-runtime-automatically-with-inno-setup\/","url_meta":{"origin":159,"position":1},"title":"Installing .NET 5 Runtime Automatically with Inno Setup","date":"February 28, 2021","format":false,"excerpt":"In this guide I will walk through how to get the .NET 5 runtime to download and install on-the-fly in an Inno Setup installer. It works in 3 steps: Detect if the desired .NET runtime is installedDownload the .NET Runtime bootstrap installer with Inno Download PluginRun the bootstrap installer in\u2026","rel":"","context":"With 2 comments","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/engy.us\/blog\/wp-content\/uploads\/2021\/02\/image.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":51,"url":"https:\/\/engy.us\/blog\/2015\/07\/17\/installing-net-framework-4-5-automatically-with-inno-setup\/","url_meta":{"origin":159,"position":2},"title":"Installing .NET Framework 4.7 automatically with Inno Setup","date":"July 17, 2015","format":false,"excerpt":"In this guide I will walk through how to get the .NET framework to download and install on-the-fly in an Inno Setup installer. It works in 3 steps: Detect if the desired .NET framework is installed Download the .NET Framework bootstrap installer with Inno Download Plugin Run the bootstrap installer\u2026","rel":"","context":"In \".net framework 4.5 inno setup\"","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/engy.us\/blog\/wp-content\/uploads\/2015\/07\/7028.InstallingFramework2-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":135,"url":"https:\/\/engy.us\/blog\/2020\/09\/28\/error-handling-quirks-in-react\/","url_meta":{"origin":159,"position":3},"title":"Error Handling in ReactDom.render() vs ReactDom.hydrate()","date":"September 28, 2020","format":false,"excerpt":"There is an oddity in the behavior of ReactDom.render() and ReactDom.hydrate(). Both have similar looking function signatures, so you'd expect them to handle errors in about the same way. And while they both will trigger error boundaries correctly, hydrate() will throw an exception if there was a problem rendering, while\u2026","rel":"","context":"Similar post","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":174,"url":"https:\/\/engy.us\/blog\/2021\/12\/11\/aws-cognito-authentication-in-electron\/","url_meta":{"origin":159,"position":4},"title":"AWS Cognito Authentication in Electron","date":"December 11, 2021","format":false,"excerpt":"The AWS Cognito authentication service as of this writing does not officially support the Electron platform. But there is a Javascript SDK for Cognito, as part of AWS Amplify. Others have tried using it on Electron but have run into issues. I ran into several more than what are described\u2026","rel":"","context":"Similar post","img":{"alt_text":"","src":"https:\/\/i2.wp.com\/engy.us\/blog\/wp-content\/uploads\/2021\/12\/image.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":25,"url":"https:\/\/engy.us\/blog\/2012\/04\/06\/datetime-and-datetimeoffset-in-net-good-practices-and-common-pitfalls\/","url_meta":{"origin":159,"position":5},"title":"DateTime and DateTimeOffset in .NET: Good practices and common pitfalls","date":"April 6, 2012","format":false,"excerpt":"It becomes necessary to deal with dates and times in most .NET programs. A lot of programs use DateTime but that structure is frought with potential issues when you start serializing, parsing, comparing\u00a0and displaying dates from\u00a0different time zones and cultures. In this post I will go over these issues and\u00a0the\u2026","rel":"","context":"In \".net\"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/posts\/159"}],"collection":[{"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/comments?post=159"}],"version-history":[{"count":1,"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/posts\/159\/revisions"}],"predecessor-version":[{"id":161,"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/posts\/159\/revisions\/161"}],"wp:attachment":[{"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/media?parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/categories?post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/engy.us\/blog\/wp-json\/wp\/v2\/tags?post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}