Den tis 9 okt. 2018 kl 19:42 skrev Elvis Stansvik <elvst...@gmail.com>: > > Den tis 9 okt. 2018 kl 17:54 skrev Elvis Stansvik <elvst...@gmail.com>: > > > > Den tis 9 okt. 2018 17:29Nuno Santos <nunosan...@imaginando.pt> skrev: > >> > >> Christopher, > >> > >> In order to have Microsoft’s SmartScreen saying your company name, you > >> need to buy a EV certificate: > > > > > > Let me add that it's not strictly necessary to use an EV certificate to get > > rid of SmartScreen. It's possible with a "regular" certificate as well, it > > just takes some time for the cert signature to become whitelisted at > > Microsoft (they track user installs). > > > > We use a regular (cheaper) code signing cert from Digicert. For a while, > > users running our installer would still get a SmartScreen warning, but as > > the number of installs grew, at some point the warning disappeared due to > > whitelisting. > > > > An EV certificate would establish trust faster, and I think the rules > > behind the whitelisting is rather undocumented. > > I should add some more info from my experience with this: Back when we > decided to go with a cheaper non-EV cert, I did some reading on this > and found reports that you could "speed up" the process of getting > your certificate whitelisted by running your installer (signed with > your certificate) through the Windows App Certification Kit (WACK) > (appcert.exe), and then upload the validation report XML to one of > their developer portals [1]. Just to let you know, I went through that > process, but the cert was now whitelisted even a couple of weeks after
Was _not_ whitelisted. Elvis > doing so. So I believe that "trick" no longer works, and the only way > to establish trust with a non-EV certificate nowadays is to get > "enough" unique installs without any malware reports. What is "enough" > is of course not publicized by MS, and may changed, but in our case it > couldn't have been many installs, since it was just a few early > adopters (maybe 20 or so). Microsoft of course probably uses other > metrics/heuristics to determine when a cert is worthy of whitelisting, > but from our experience it was quite easy. > > Elvis > > [1] Can't remember the exact name of the site, I believe they've > changed around things and that portal is now deprecated, possibly > gone. > > > > > HTH, > > Elvis > > > >> > >> https://www.globalsign.com/en/code-signing-certificate/ev-code-signing-certificates/ > >> > >> It costs around 300 euros a year. > >> > >> There are several providers for this. Globalsign is just one. Then you > >> will receive a usb dongle with your certificate (GlobalSign sends a USB > >> dongle). > >> > >> When you have it, you need to configure it. The provider tells you what to > >> do. > >> > >> After that you need to invoke a command like this: > >> > >> > >> signtool.exe sign /a /tr http://rfc3161timestamp.globalsign.com/advanced > >> /td SHA256 EXE_TO_SIGN > >> > >> > >> Best, > >> > >> Nuno > >> > >> On 9 Oct 2018, at 16:20, Christopher Probst <christop.pro...@gmail.com> > >> wrote: > >> > >> Thank-you Nils for your reply. > >> > >>> I think signing your installer should solve this. "Trust" can be bought > >>> with the certificate. > >>> > >>> > >> > >> > >> Please forgive my ignorance, but how does one sign an application with > >> Microsoft? The documentation online seems unnecessary complex for > >> something that should be routine. Any help is appreciated. > >> > >> Thanks, > >> Christopher > >> _______________________________________________ > >> Interest mailing list > >> Interest@qt-project.org > >> http://lists.qt-project.org/mailman/listinfo/interest > >> > >> > >> _______________________________________________ > >> Interest mailing list > >> Interest@qt-project.org > >> http://lists.qt-project.org/mailman/listinfo/interest _______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
