[Interest] Qt Install Framework - Becoming a Microsoft Known Publisher

Elvis Stansvik elvstone at gmail.com
Tue Oct 9 19:43:21 CEST 2018


Den tis 9 okt. 2018 kl 19:42 skrev Elvis Stansvik <elvstone at gmail.com>:
>
> Den tis 9 okt. 2018 kl 17:54 skrev Elvis Stansvik <elvstone at gmail.com>:
> >
> > Den tis 9 okt. 2018 17:29Nuno Santos <nunosantos at imaginando.pt> skrev:
> >>
> >> Christopher,
> >>
> >> In order to have Microsoft’s SmartScreen saying your company name, you need to buy a EV certificate:
> >
> >
> > Let me add that it's not strictly necessary to use an EV certificate to get rid of SmartScreen. It's possible with a "regular" certificate as well, it just takes some time for the cert signature to become whitelisted at Microsoft (they track user installs).
> >
> > We use a regular (cheaper) code signing cert from Digicert. For a while, users running our installer would still get a SmartScreen warning, but as the number of installs grew, at some point the warning disappeared due to whitelisting.
> >
> > An EV certificate would establish trust faster, and I think the rules behind the whitelisting is rather undocumented.
>
> I should add some more info from my experience with this: Back when we
> decided to go with a cheaper non-EV cert, I did some reading on this
> and found reports that you could "speed up" the process of getting
> your certificate whitelisted by running your installer (signed with
> your certificate) through the Windows App Certification Kit (WACK)
> (appcert.exe), and then upload the validation report XML to one of
> their developer portals [1]. Just to let you know, I went through that
> process, but the cert was now whitelisted even a couple of weeks after

Was _not_ whitelisted.

Elvis

> doing so. So I believe that "trick" no longer works, and the only way
> to establish trust with a non-EV certificate nowadays is to get
> "enough" unique installs without any malware reports. What is "enough"
> is of course not publicized by MS, and may changed, but in our case it
> couldn't have been many installs, since it was just a few early
> adopters (maybe 20 or so). Microsoft of course probably uses other
> metrics/heuristics to determine when a cert is worthy of whitelisting,
> but from our experience it was quite easy.
>
> Elvis
>
> [1] Can't remember the exact name of the site, I believe they've
> changed around things and that portal is now deprecated, possibly
> gone.
>
> >
> > HTH,
> > Elvis
> >
> >>
> >> https://www.globalsign.com/en/code-signing-certificate/ev-code-signing-certificates/
> >>
> >> It costs around 300 euros a year.
> >>
> >> There are several providers for this. Globalsign is just one. Then you will receive a usb dongle with your certificate (GlobalSign sends a USB dongle).
> >>
> >> When you have it, you need to configure it. The provider tells you what to do.
> >>
> >> After that you need to invoke a command like this:
> >>
> >>
> >> signtool.exe sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 EXE_TO_SIGN
> >>
> >>
> >> Best,
> >>
> >> Nuno
> >>
> >> On 9 Oct 2018, at 16:20, Christopher Probst <christop.probst at gmail.com> wrote:
> >>
> >> Thank-you Nils for your reply.
> >>
> >>> I think signing your installer should solve this. "Trust" can be bought
> >>> with the certificate.
> >>>
> >>>
> >>
> >>
> >> Please forgive my ignorance, but how does one sign an application with Microsoft? The documentation online seems unnecessary complex for something that should be routine. Any help is appreciated.
> >>
> >> Thanks,
> >> Christopher
> >> _______________________________________________
> >> Interest mailing list
> >> Interest at qt-project.org
> >> http://lists.qt-project.org/mailman/listinfo/interest
> >>
> >>
> >> _______________________________________________
> >> Interest mailing list
> >> Interest at qt-project.org
> >> http://lists.qt-project.org/mailman/listinfo/interest



More information about the Interest mailing list