How to pass the smart screen on Win8 when install a signed application?

c# windows-installer

Solution 1:

We just went through the whole process of moving from an old Authenticode certificate to a new one (not an EV certificate, just a plain certificate that can be used in our automated build process).

Microsoft is no longer providing any means of transferring reputation from an existing certificate to a new one. So don't try to call their support. You'll just waste a lot of time and energy. And they won't be able to help.

Microsoft is claiming that if the old and new certificates have the same textual content, the reputation gets established faster. More specifically, here is the reply I got from the SmartScreen® Filter's Application Reputation feature support team:

Please note that whenever you renew a certificate with known reputation, you will likely see some warns during initial downloads of files signed with the renewed certificate. However, known reputation on the renewed certificate is typically established more rapidly than on a new certificate. While a renewed certificate establishes reputation, users can still click through to run or save the download. To do so, they select Actions | More Options | Run Anyway from Download Manager.

The best way to ensure that SmartScreen won't warn the users is to run the Windows App Certification Kit (WACK) which should be included in the Windows SDK download:

Windows App Certification Kit

After running the tests, WACK explains how to proceed:

Final Report - Validation passed

Upload the XML result of a successfull application certification to https://sysdev.microsoft.com. A few days later, SmartScreen will be aware of the digital signature used for the certified program and will no longer warn the users on download.

Note We were not able to certify our application on the latest updates of Windows 8.1 and we had to use a clean install of Windows 8.1 in order to get WACK to validate successfully all of our programs.

Solution 2:

If you signed the installer with a purchased certificate from a CA, you are supposed to contact the CA for explanation on why they failed to work with Microsoft to get rid of this warning.

If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA.

Microsoft has most information published on its Windows team blog already,

https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/

Best Practices

Developers should still follow the best practices we’ve suggested in past blog posts. We have added to that guidance the additional options of distributing apps thru the Windows Store and the option of EV code signing:

  • Distribute your apps through the Windows Store

Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.

  • Digitally sign your programs (Standard or EV code signing)

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

At this time, Symantec and DigiCert are offering EV code signing certificates.

  • Don’t sign or distribute malicious code

Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate – even if signed with an EV code signing certificate.

  • Apply for a Windows Logo or Windows 8 Desktop App Certification

Learn more about these programs here: Windows 8 Desktop App Certification (required for Windows Store submissions) Windows Logo Program

Solution 3:

I have been searching for a while, so I'll share what I've found so far.

I haven't found any documentation about this feature in Windows 8 from Microsoft, but I may just be looking in the wrong places.

Most of the articles I read discuss that the SmartScreen Filter works as follows:

  • Before running an installer or executable that was downloaded, Windows 8 consults with a database.
  • The database can report whether or not that program has been:
    • reported as malicious/phishing, (and verified by a Microsoft Employee).
    • used/run by many people.

If enough people have run that installer, without reporting it as malicious, eventually that program will be flagged as safe, and other users will not receive the annoying message.

some sources: (here) (here)

The information sent to Microsoft when a user installs a program includes IP address, a hash of the installer and digital signature, and possibly the filename of the application. (see here)

Microsoft employees would have direct access to the database to add and flag safe all Microsoft applications.

Perhaps Microsoft has set up a way to pre-certify your installer with them, if not you may just need to wait until enough people run the installer. (but not sure how many that would be).

Solution 4:

I just went through this process, and I'll add some tidbits of info to this.

1) Get an EV. It's worth it. Next time you upgrade your certificates, upgrade to an EV certificate. The price is about $100 more per year. EV certificates are considered more secure, because they are harder to steal. When issued to you, a hardware token device will be issued to you to complete the sign. Unfortunately, the final sign is not compatible with automated builds.

It's not as terrible as it sounds. They will provide you a second certificate to sign your executables (inside the installer) which remains compatible with automation. The signature on the installer must be signed in conjunction with the hardware token.

2) If you don't want to get an EV certificate, you need reputation. If you're upgrading, Microsoft will transfer the reputation from your old certificate to your new one. You must contact MSDN tech support and in about a week it'll be done. I submitted my old and new installers -- with old and new certificates -- and they fixed it.

3) If this is your first certificate, you're stuck with SmartScreen until you get reputation. You probably should get your app certified through sysdev.microsoft.com. But, it's not really known how many downloads you need before you earn a positive reputation with Microsoft.

That's my experience.

Related

Zipper Comonads, Generically
Rolling back bad changes with svn in Eclipse
What is the best way to delete a value from an array in Perl?
ASP.NET Custom 404 Returning 200 OK Instead of 404 Not Found
What is the C# equivalent of map function in Haskell
MySQL command line client for Windows
Why are bitwise shifts (<< and >>) used for cout and cin?
Use keyword in functions - PHP [duplicate]
Why does cache locality matter for array performance?
In Javascript, is it expensive to use try-catch blocks even if an exception is never thrown?
Is there a downside to adding an anonymous empty delegate on event declaration?
How can I display my current git branch name in my PowerShell prompt?