Windows codesign but still get warning

I codesigned my .exe file, uploaded it to my server.
Downloading that file and executing still gives a warning the .exe is not being trusted.
When clicking on ‘more…’ it reveals my company name and asks to run or not.

Why is this? I bought a Windows codesign license to get past this, not to show my apps are still not ‘trusted’

BTW doing a verification does confirm the .exe is codesigned.

What OS? What browser? What is the exact error message? Are you sure your code-signing certificate is from a valid Certificate Authority?

Windows and the certificate is certainly valid (kSoftware/Comodo).

When you download and run the .exe file, it warns it isn’t downloaded enough and it can be harmful for your system.
When clicking on More -> it displays my company name and asks to run or not.

I confirm the issue. I made sure to code sign both the app and the DLLs with y Comodo certificate, but yet I get the warning and the request to enter the administrator password. It looks as though Windows now requires an Authenticode certificate to execute a program like that.

BUT my current programs which I signed than put into an installer itself signed with Comodo do not trigger the warning.

So what you want to do is to make an installer for your program.

I already use an installer (and signed the setup.exe) .
It does not ask for an admin password but it does give a warning.

[quote=163621:@Christoph De Vocht]I already use an installer (and signed the setup.exe) .
It does not ask for an admin password but it does give a warning.[/quote]

The fact that Windows asks for permission to install is normal. If the installer is signed, you get a blue window. If it is not signed, you get a yellow window with a warning.

This is normal as Microsoft has his own “trusted developers” database and signing the exe doesn’t mean immediate trusting.

As far as I know and my experience it takes a few months and some thousand of downloads / installs to get trusted by MS but they are no official details.
Once you are trusted the blue window doesn’t appear any more and also other applications you develop and sign with the same signature are faster trusted.

Btw, I’m meaning the large blue bar at the middle of the window, not the small question window that appears on signed installers.

[quote=164281:@Alejandro Fresno Meyer]This is normal as Microsoft has his own “trusted developers” database and signing the exe doesn’t mean immediate trusting.

As far as I know and my experience it takes a few months and some thousand of downloads / installs to get trusted by MS but they are no official details.
Once you are trusted the blue window doesn’t appear any more and also other applications you develop and sign with the same signature are faster trusted.[/quote]

I have been a Windows developer for ages and know Msdn very well, but this is the first time I read that. As far as I know Microsoft has no way to gather information about the number of downloads and probably does not care. Neither does it get information about installs of individual programs.

Maybe you are referring to the Trusted Publisher settings each user can have such as described here :
https://technet.microsoft.com/en-us/library/cc733026.aspx

The SmartScreen blue bar will not appear for installers which are signed, just the small confirmation box “Do you want this program to modify your system”.

It is possible that “naked” programs that have not been installed or generated on the machines (as if by Xojo) get flagged by SmartScreen (the blue bar) even if they are signed because they have no registry key. By the way, how come the debug programs created by Xojo, although not signed, do not trigger SmartScreen ?

Michel,

as far as I know smart screen is based in application reputation and certainly is dependent on who it signs it and how many times it is installed because this feeds the whitelist at MS.
More info at http://windows.microsoft.com/en-us/windows7/smartscreen-filter-frequently-asked-questions-ie9 and https://blog.digicert.com/ms-smartscreen-application-reputation/

And smartscreen appears even after having signed an application except if you are a well known publisher and whitelisted, this has been discussed at MS forums.

Debug programs won’t trigger SmartScreen because they have not been downloaded.

One important piece of information in the literature linked to is

So if you do not buy into the $599.00 a year Verisign authentishit, you’re not considered worthy of having even a look at your software for whitelist.

It looks like there are plenty of providers to choose from other than Verisign. Download the September 2014 Root Certificates Update for a list.

A visit to Introduction to The Microsoft Root Certificate Program may also be helpful.

Thanks Frederick. Indeed this is great. I see for instance that GlobalSign is just $175.00 a year as compared to VS the ripper’s $599.00.

This is very interesting to get listed on the Windows Store through the onboarding program which requires authenticode. But yet I wonder if another company than Verisign is OK, since all along they repeat Authenticode from Verisign.

Back on the original subject, though, the page for authenticode shows the classic blue confirmation box “Do you want to install this software” with the name of the developer I currently get from Comodo. And none of my apps triggers SmartScreen anyway.

[quote=163615:@Christoph De Vocht]Windows and the certificate is certainly valid (kSoftware/Comodo).

When you download and run the .exe file, it warns it isn’t downloaded enough and it can be harmful for your system.
When clicking on More -> it displays my company name and asks to run or not.[/quote]

I’ve had this message after downloading software from my server too. But after a couple of days and approx 100 downloads from different clients this message disapperad without any action. I’ve never found out why and assumed that Microsoft just updated their Smartscreen Whitelist after a certain amount of downloads from a given domain.

How code sign for Windows ? I’ve a valid certificate but i don’t know how

I’m using KSign from KSoftware: http://codesigning.ksoftware.net/

My certificate is from them but I believe it works with all certificates.

it’s frustrating that for most part of important matters we should buy external tools. With Gatekeeper and Smartscreen a development tool SHOULD have in IDE function to sign the software

KSign is free but is a general question, thank you.