问题
I developed a free personal finance application. It is a hobby for me. I have it on my website for download. http://moneyble.com/download/
I frequently (once a month or so) release a new version. So the file's hash changes.
When the file is downloaded from my website the browser displays a warning that the file is not commonly downloaded and can be dangerous. Also on Windows 8 machines SmartScreen warning pops up.
Both these warnings are killing any new users who try to download my software.
I read some articles about Code Signing and realized that I have to buy a Code Signing Certificate. It sounds stupid to pay Microsoft for the right to release my own software. Like they own the Internet. But anyway... they set the rules.
Question:
Should I spend $500 on EV Code Signing Certificate?
or
Can I buy a much cheaper ($100-$200) Microsoft Authenticode Certificate and still get rid of both warnings (Download and SuckScreen)?
My exe-s currently have no reputation with MS. I update exe-s frequently. User-base is slowly growing from 0.
Anybody has real-life similar experience?
Still don't know though how to sign a zip package. I provide a portable install of my program as well. If you download portable zip package on Google Chrome - it displays a nasty message "Moneyble.zip is not commonly downloaded and could be dangerous". Exe within that package is signed. But it does not help. IE does not have this problem. It's only Google Chrome's issue.
IF anyone has suggestions on how to distribute portable installations - I would really appreciate it.
If you want to check warnings download one of the installers from: http://moneyble.com/download/
回答1:
I've just written up a couple of blog posts on this very topic. The following three screenshots are illustrative of the progression from unsigned through standard Authenticode certificate to EV Authenticode certificate:
No digital signature
Signed with standard Authenticode certificate from DigiCert
Signed with EV Authenticode certificate from DigiCert
So unless you can amass whatever critical volume of users Microsoft deems to mean that your program is commonly downloaded, an EV certificate is the fastest way to remove the SmartScreen warnings for all users. For what it's worth, the DigiCert hardware token was very easy to use through the Windows Certificate Manager, but the $450 it cost us is admittedly quite expensive, especially for a hobby.
回答2:
Certification authorities only issue an Extended Validation certificates to developer on condition that the request is on behalf of a recognised organisation for whom the developer is providing a paid service to.
Developers may apply for non-EV code signing certificates for their own use.
To learn more, try this link:
https://cabforum.org/audit-criteria/
回答3:
EV Code Signing Certificate is specially designed to gain instant trust in Microsoft SmartScreen. EV Code Signing established instant application reputation with SmartScreen, effectively killing those download-killing browser warnings.
Check this blog to know more about EV Code Signing
回答4:
The purpose of paying is not stupid as it serves the entire community. The certificate is a way to ensure you are who you say you are. EV certificates require a more thorough validation.
The are cheaper EV Certificates (I think the cheapest one is Commodo's $319 per year). EV Code Signing certificate won't omit all warning as they are a result of other factors such as how many people have downloaded your software, but it will get you the minimum warnings when someone downloads your software. So I would go with the EV option. I also wrote an article about how to use it programmatically.
来源:https://stackoverflow.com/questions/21124634/ev-code-signing-certificate-or-code-signing-certificates-for-microsoft-authentic