Den tis 9 okt. 2018 kl 17:54 skrev Elvis Stansvik <elvst...@gmail.com>: > > Den tis 9 okt. 2018 17:29Nuno Santos <nunosan...@imaginando.pt> skrev: >> >> Christopher, >> >> In order to have Microsoft’s SmartScreen saying your company name, you need >> to buy a EV certificate: > > > Let me add that it's not strictly necessary to use an EV certificate to get > rid of SmartScreen. It's possible with a "regular" certificate as well, it > just takes some time for the cert signature to become whitelisted at > Microsoft (they track user installs). > > We use a regular (cheaper) code signing cert from Digicert. For a while, > users running our installer would still get a SmartScreen warning, but as the > number of installs grew, at some point the warning disappeared due to > whitelisting. > > An EV certificate would establish trust faster, and I think the rules behind > the whitelisting is rather undocumented.
I should add some more info from my experience with this: Back when we decided to go with a cheaper non-EV cert, I did some reading on this and found reports that you could "speed up" the process of getting your certificate whitelisted by running your installer (signed with your certificate) through the Windows App Certification Kit (WACK) (appcert.exe), and then upload the validation report XML to one of their developer portals [1]. Just to let you know, I went through that process, but the cert was now whitelisted even a couple of weeks after doing so. So I believe that "trick" no longer works, and the only way to establish trust with a non-EV certificate nowadays is to get "enough" unique installs without any malware reports. What is "enough" is of course not publicized by MS, and may changed, but in our case it couldn't have been many installs, since it was just a few early adopters (maybe 20 or so). Microsoft of course probably uses other metrics/heuristics to determine when a cert is worthy of whitelisting, but from our experience it was quite easy. Elvis [1] Can't remember the exact name of the site, I believe they've changed around things and that portal is now deprecated, possibly gone. > > HTH, > Elvis > >> >> https://www.globalsign.com/en/code-signing-certificate/ev-code-signing-certificates/ >> >> It costs around 300 euros a year. >> >> There are several providers for this. Globalsign is just one. Then you will >> receive a usb dongle with your certificate (GlobalSign sends a USB dongle). >> >> When you have it, you need to configure it. The provider tells you what to >> do. >> >> After that you need to invoke a command like this: >> >> >> signtool.exe sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td >> SHA256 EXE_TO_SIGN >> >> >> Best, >> >> Nuno >> >> On 9 Oct 2018, at 16:20, Christopher Probst <christop.pro...@gmail.com> >> wrote: >> >> Thank-you Nils for your reply. >> >>> I think signing your installer should solve this. "Trust" can be bought >>> with the certificate. >>> >>> >> >> >> Please forgive my ignorance, but how does one sign an application with >> Microsoft? The documentation online seems unnecessary complex for something >> that should be routine. Any help is appreciated. >> >> Thanks, >> Christopher >> _______________________________________________ >> Interest mailing list >> Interest@qt-project.org >> http://lists.qt-project.org/mailman/listinfo/interest >> >> >> _______________________________________________ >> Interest mailing list >> Interest@qt-project.org >> http://lists.qt-project.org/mailman/listinfo/interest _______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest