Reputation: 61
SmartScreen still gives warning with EV Code Signing Certificate
I'm developing an app with Tauri and I've signed it with an EV Code Signing Certificate from Sectigo. I've tried signing through Tauri's built in system by inputting the certificate thumbprint and timestamp link (http://timestamp.sectigo.com) and I've tried using signtool, both seem to successfully sign the app, but both result in the same issue.
That is, when users run the msi installer they're still getting the Microsoft Defender SmartScreen warning about an preventing an unrecognized app from running, despite the fact that the EV Code Cert is on the msi installer.
I've tried contacting both Sectigo and Microsoft but neither have exactly been helpful. Does someone know what could be the potential issue?
I'm happy to provide any details as needed, just let me know.
Upvotes: 4
Views: 2414
Answers (2)
Reputation: 1592
There is a common misconception that use of an EV Code Signing certificate, will instantly eliminate Microsoft Defender SmartScreen warnings. This is not correct. Using a code signing certificate should increase the trust score of the application / developer when the app is signed with the certificate.
Note that the Microsoft Defender SmartScreen trust algorithm is proprietary to Microsoft, and the exact scoring method is not available to 3rd parties. An increase in trust may not eliminate all SmartScreen warnings until the app / developer trust is sufficiently established with Microsoft, even if a code signing certificate is utilized.
When the trust score for your application reaches some threshold determined by Microsoft then Defender SmartScreen warnings will cease. The trust score will increase incrementally as the application in question is more frequently downloaded.
Upvotes: 1
Reputation: 61
It seems like EV Code Signing Certificates no longer give instant Microsoft Defender SmartScreen reputation anymore (despite the fact that's the whole point). You have to submit your msi/exe to Microsoft and then they'll tell you that your certificate still hasn't established enough reputation, but by submitting your app it'll get rid of the SmartScreen warning for that app.
Upvotes: 2
Related Questions
- Signing clickonce using Sectigo SHA384 EV certificate give unknown publisher and smartscreen blocker
- How to export Sectigo Code Signing Certificate to PFX for Electron Forge's Windows Code Signing?
- Is there a way to SmartScreen-whitelist a .exe by Microsoft? (without an EV certificate)
- Generating a Certificate for signing Universal Windows Platform (UWP) Apps
- Why does SmartScreen still warn me after signing with an EV certificate?