Windows SmartScreen prevented an unrecognized app from running. Running this app might put your PC at risk. Although not required, programs signed by an EV code signing certificate. can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. How to Disable SmartScreen Filter in Windows 10/8/8.1. Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk. That means, if you download any app from Windows Store, it won’t show any warning like that as all the apps of Windows Store are scanned and verified.
![Defender Defender](/uploads/1/2/4/9/124930991/976925262.png)
@mintty To be honest I ended up here by accident, then I saw the discussion and thrown a few words.
For what I have understand, you have a installer (.exe) that is currently unsigned.
For what I have understand, you have a installer (.exe) that is currently unsigned.
A few years ago I got a certificate for driver signing and is real pain in the ass to get started with it.
First of all, you will need to buy a code sign certificate.
There are two major kinds: Regular and EV.
- Regular: You can use it to sign a .exe, .dll, java applets, etc... (Including drivers*, but Microsoft has changed some policies on Windows 10)
- EV: It does the same thing, but will get reputation on
SmartScreen
.
The EV certificates are really expensive and are extremely boring to get, because they (certification authorities) sell it for companies only (there a few exceptions) and will require a hardware token to store it.
It seems the EV is the only way to solve this SmartScreen issue for sure, but you may get a good reputation with a regular certificate.
It seems the EV is the only way to solve this SmartScreen issue for sure, but you may get a good reputation with a regular certificate.
After you purchase it, you will need to do some proof of identity.
They will likely call you or chat with you by webcam and will require you sign some documents.
They will likely call you or chat with you by webcam and will require you sign some documents.
After all this bureaucracy, you will get a email with a link to generate your own certificate.
If you use Internet Explorer, the process is really painless.
Just click the link, it will generate a certificate on your computer.
Just click the link, it will generate a certificate on your computer.
Having the certificate installed on your system, now you really can starting signing files.
There are a few ways to do it.
There are a few ways to do it.
The easier one, just for testing, you can use a DigiCert Certificate Utility.
Just select the file and sign it. Test it and see if it works as planned.
Just select the file and sign it. Test it and see if it works as planned.
![Smartscreen prevented an unrecognized app Smartscreen prevented an unrecognized app](/uploads/1/2/4/9/124930991/625910503.jpg)
(It really works with any certificate, it doesn't matter if the certificate is not issued by DigiCert)
Considering everything goes ok, you can start automating it...
I'm using the
I'm using the
signtool
, you can get it by downloading Windows SDK.It will be located on:
C:Program Files (x86)Windows Kits10bin10.0.16299.0x86
C:Program Files (x86)Windows Kits10bin10.0.16299.0x64
The docs about the tool are available here:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx
You can use something like this to automate it:
CERTSHA2
is the thumbprint of the certificate, you can check on the details tab.I am not sure where you will build the installer, but for extra security...
You can also export your certificate with the private key and re import it using the 'strong private key protection' and making it non exportable.
Be careful here, or you may need to generate another certificate.
You can also export your certificate with the private key and re import it using the 'strong private key protection' and making it non exportable.
Be careful here, or you may need to generate another certificate.
There is another way too...
You can export it to a .pfx file and use it directly from the command line with a password (/f and /p flags).
This option is good if you use a build environment.
You can export it to a .pfx file and use it directly from the command line with a password (/f and /p flags).
This option is good if you use a build environment.
I prefer to use it on the Windows Certificate Store, because I sign files only on this computer.
Since you are targeting Windows 10, you don't need to worry with sha1 certificates and windows patches that need to be installed on the clients.
Let me know if you need more details about any step.
English is not my native language, so it may be not as clear as I think I wrote it.
English is not my native language, so it may be not as clear as I think I wrote it.
[]'s