0

In order to avoid SmartScreen blocking downloads and install files from my application, i bought an EV Code Signing Certificate ,which is expensive.

Now when i sign my installation file, Smartscreen really doesn't bother the user anymore and will let the app be installed.

BUT still, when the user try to download the install file in ZIP format from our website using Edge, Smartscreen still shows that infamous message :

"xxxx.zip isn't commonly downloaded. Make sure you trust xxxx.zip before you open it".

Then the user needs to click on [...] menu, then click on 'Keep', then another windows is show , then the user needs to click on Show more, then click again on 'Keep anyway'.

That's A LOT of friction to install a simple application on the machine.

I bought the EV code sign certificate just to avoid that, but anything changed in the download process.

The ZIP file isn't signed because you can't sign ZIP files, but the install.exe file inside of the ZIP is.

What should i do ? Download the EXE file direct, instead of the ZIP ?

delphirules
  • 1,005

2 Answers2

3

You can try making a self-extracting Zip archive (executable, .exe) with 7-Zip or other tool and then using the MS SignTool, digitally sign the file, verifying the signature.

A self-extracting archive can also be opened by 7-Zip or other archive tool as if it were an ordinary compressed archive, so if the certifying process works here, you might not bother to keep a separate, non-executable, Zip -- just let users know they can open the executable, examine the contents and manually extract it.

Ramhound
  • 44,080
DrMoishe Pippik
  • 37,887
3

In order to avoid SmartScreen blocking downloads and install files from my application, i bought an EV Code Signing Certificate ,which is expensive.

Now when i sign my installation file, Smartscreen really doesn't bother the user anymore and will let the app be installed.

BUT still, when the user try to download the install file in ZIP format from our website using Edge, Smartscreen still shows that infamous message

If you have signed an executable that installs your application, why are you putting that executable (which is already compressed), inside of an archive? SmartScreen uses a variety of factors to determine if enough information about the file is known. Sending the sample into Microsoft, having more users download and trust the file, and even digitally signing the file that is being downloaded are ways to increase its reputation with SmartScreen.

Your archive file isn’t digitally signed. Based on the message it hasn’t been submitted to Microsoft nor have enough downloads happened, which means, SmartScreen will warn the user.

The ZIP file isn't signed because you can't sign ZIP files, but the install.exe file inside of the ZIP is.

You can indeed sign ZIP files, I just don’t believe, using a OpenGPG certificate would make a difference to SmartScreen

What should i do ? Download the EXE file direct, instead of the ZIP ?

Yes; You should also send the compressed executable into Microsoft, so SmartScreen other considerations can be addressed as every version of that executable, will initially not have be downloaded enough times.

Ramhound
  • 44,080