[Interest] Qt Install Framework - Becoming a Microsoft Known Publisher

Elvis Stansvik elvstone at gmail.com
Tue Oct 9 19:42:15 CEST 2018 

Den tis 9 okt. 2018 kl 17:54 skrev Elvis Stansvik <elvstone at gmail.com>:
>
> Den tis 9 okt. 2018 17:29Nuno Santos <nunosantos at imaginando.pt> skrev:
>>
>> Christopher,
>>
>> In order to have Microsoft’s SmartScreen saying your company name, you need to buy a EV certificate:
>
>
> Let me add that it's not strictly necessary to use an EV certificate to get rid of SmartScreen. It's possible with a "regular" certificate as well, it just takes some time for the cert signature to become whitelisted at Microsoft (they track user installs).
>
> We use a regular (cheaper) code signing cert from Digicert. For a while, users running our installer would still get a SmartScreen warning, but as the number of installs grew, at some point the warning disappeared due to whitelisting.
>
> An EV certificate would establish trust faster, and I think the rules behind the whitelisting is rather undocumented.

I should add some more info from my experience with this: Back when we
decided to go with a cheaper non-EV cert, I did some reading on this
and found reports that you could "speed up" the process of getting
your certificate whitelisted by running your installer (signed with
your certificate) through the Windows App Certification Kit (WACK)
(appcert.exe), and then upload the validation report XML to one of
their developer portals [1]. Just to let you know, I went through that
process, but the cert was now whitelisted even a couple of weeks after
doing so. So I believe that "trick" no longer works, and the only way
to establish trust with a non-EV certificate nowadays is to get
"enough" unique installs without any malware reports. What is "enough"
is of course not publicized by MS, and may changed, but in our case it
couldn't have been many installs, since it was just a few early
adopters (maybe 20 or so). Microsoft of course probably uses other
metrics/heuristics to determine when a cert is worthy of whitelisting,
but from our experience it was quite easy.

Elvis

[1] Can't remember the exact name of the site, I believe they've
changed around things and that portal is now deprecated, possibly
gone.

>
> HTH,
> Elvis
>
>>
>> https://www.globalsign.com/en/code-signing-certificate/ev-code-signing-certificates/
>>
>> It costs around 300 euros a year.
>>
>> There are several providers for this. Globalsign is just one. Then you will receive a usb dongle with your certificate (GlobalSign sends a USB dongle).
>>
>> When you have it, you need to configure it. The provider tells you what to do.
>>
>> After that you need to invoke a command like this:
>>
>>
>> signtool.exe sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 EXE_TO_SIGN
>>
>>
>> Best,
>>
>> Nuno
>>
>> On 9 Oct 2018, at 16:20, Christopher Probst <christop.probst at gmail.com> wrote:
>>
>> Thank-you Nils for your reply.
>>
>>> I think signing your installer should solve this. "Trust" can be bought
>>> with the certificate.
>>>
>>>
>>
>>
>> Please forgive my ignorance, but how does one sign an application with Microsoft? The documentation online seems unnecessary complex for something that should be routine. Any help is appreciated.
>>
>> Thanks,
>> Christopher
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/interest
>>
>>
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/interest

More information about the Interest mailing list