Blog coding and discussion of coding about JavaScript, PHP, CGI, general web building etc.

Monday, April 18, 2016

How to pass the smart screen on Win8 when install a signed application?

How to pass the smart screen on Win8 when install a signed application?


We are developer, and we have a digital signed application installer. When we install this application, it popups out the smart screen which affects the installing experience. It says

Windows protected your PC

Windows SmartScreen prevented an unrecognized app from starting, Running this app might put your PC at risk.

I think Microsoft has some strategy to verify the application besides the digital signature. Has anyone has the experience for this issue and please give me some clue to fix this issue?

Answer by Lex Li for How to pass the smart screen on Win8 when install a signed application?


If you signed the installer with a purchased certificate from a CA, you are supposed to contact the CA for explanation on why they failed to work with Microsoft to get rid of this warning.

If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA.

Microsoft has most information published on its Windows team blog already,

http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx

Best Practices

Developers should still follow the best practices we?ve suggested in past blog posts. We have added to that guidance the additional options of distributing apps thru the Windows Store and the option of EV code signing:

  • Distribute your apps through the Windows Store

Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.

  • Digitally sign your programs (Standard or EV code signing)

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

At this time, Symantec and DigiCert are offering EV code signing certificates.

  • Don?t sign or distribute malicious code

Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate ? even if signed with an EV code signing certificate.

  • Apply for a Windows Logo or Windows 8 Desktop App Certification

Learn more about these programs here: Windows 8 Desktop App Certification (required for Windows Store submissions) Windows Logo Program

Answer by Xantix for How to pass the smart screen on Win8 when install a signed application?


I have been searching for a while, so I'll share what I've found so far.

I haven't found any documentation about this feature in Windows 8 from Microsoft, but I may just be looking in the wrong places.

Most of the articles I read discuss that the SmartScreen Filter works as follows:

  • Before running an installer or executable that was downloaded, Windows 8 consults with a database.
  • The database can report whether or not that program has been:
    • reported as malicious/phishing, (and verified by a Microsoft Employee).
    • used/run by many people.

If enough people have run that installer, without reporting it as malicious, eventually that program will be flagged as safe, and other users will not receive the annoying message.

some sources: (here) (here)

The information sent to Microsoft when a user installs a program includes IP address, a hash of the installer and digital signature, and possibly the filename of the application. (see here)

Microsoft employees would have direct access to the database to add and flag safe all Microsoft applications.

Perhaps Microsoft has set up a way to pre-certify your installer with them, if not you may just need to wait until enough people run the installer. (but not sure how many that would be).

Answer by Chris for How to pass the smart screen on Win8 when install a signed application?


I have tested the EV cert solution and it does work.

Sadly, I will also mention that EV certs are incompatible with TeamBuild which executes signing under the context of a service. EV certs require a hardware token that interfaces with the Cryptographic Service Provider that is provided by SafeNet, Inc for use with all authorized EV cert vendors (VeriSign and DigiCert).

When signing occurs the drivers from Safenet will prompt for a password which is somewhat incompatible with executing under the context of a service. Additionally, Safenet provides protection that prevents signing from anything but the actual console. You cannot even sign from within a remote desktop session. So, signing from within Teambuild is problematic at best and not possible at worst.

I have worked with Microsoft and they have not been able to provide a workaround for signing or any other way to achieve instant reputation under SmartScreen.

Answer by Lompican for How to pass the smart screen on Win8 when install a signed application?


I just went through this process, and I'll add some tidbits of info to this.

1) Get an EV. It's worth it. Next time you upgrade your certificates, upgrade to an EV certificate. The price is about $100 more per year. EV certificates are considered more secure, because they are harder to steal. When issued to you, and hardware token device will be issued to you to complete the sign. Unfortunately, the final sign is not compatible with automated builds.

It's not as terrible as it sounds. They will provide you a second certificate to sign your executables (inside the installer) which remains compatible with automation. The signature on the installer must be signed in conjunction with the hardware token.

2) If you don't want to get an EV certificate, you need reputation. If you're upgrading, Microsoft will transfer the reputation from your old certificate to your new one. You must contact MSDN tech support and in about a week it'll be done. I submitted my old and new installers -- with old and new certificates -- and they fixed it.

3) If this is your first certificate, you're stuck with SmartScreen until you get reputation. You probably should get your app certified through sysdev.microsoft.com. But, it's not really known how many downloads you need before you earn a positive reputation with Microsoft.

That's my experience.

Answer by Pierre Arnaud for How to pass the smart screen on Win8 when install a signed application?


We just went through the whole process of moving from an old Authenticode certificate to a new one (not an EV certificate, just a plain certificate that can be used in our automated build process).

Microsoft is no longer providing any means of transferring reputation from an existing certificate to a new one. So don't try to call their support. You'll just waste a lot of time and energy. And they won't be able to help.

Microsoft is claiming that if the old and new certificates have the same textual content, the reputation gets established faster. More specifically, here is the reply I got from the SmartScreen? Filter's Application Reputation feature support team:

Please note that whenever you renew a certificate with known reputation, you will likely see some warns during initial downloads of files signed with the renewed certificate. However, known reputation on the renewed certificate is typically established more rapidly than on a new certificate. While a renewed certificate establishes reputation, users can still click through to run or save the download. To do so, they select Actions | More Options | Run Anyway from Download Manager.

The best way to ensure that SmartScreen won't warn the users is to run the Windows App Certification Kit (WACK) which should be included in the Windows SDK download:

Windows App Certification Kit

After running the tests, WACK explains how to proceed:

Final Report - Validation passed

Upload the XML result of a successfull application certification to https://sysdev.microsoft.com. A few days later, SmartScreen will be aware of the digital signature used for the certified program and will no longer warn the users on download.

Note We were not able to certify our application on the latest updates of Windows 8.1 and we had to use a clean install of Windows 8.1 in order to get WACK to validate successfully all of our programs.

Answer by YumYumYum for How to pass the smart screen on Win8 when install a signed application?


Since Windows 8.1 is out.

  • Microsoft deactivated all Standard Code Signing Certificates to be trusted when you download them via internet to your PC and trying to install them, but Standard Code Signing Certificates application works if you distribute your application via USB or CD-ROM.

  • Do not use the signtool.exe to verify (signtool.exe verify /pa mysetup.exe will show success but it will fail when other users will download it and try to install a SmartScreen popup will keep showing up)

Use Windows App Certification Kit (WACK)

enter image description here

  • This standard code signing certificates are dead. Means if you have standard code signing certificate it wont work anymore reliably like it was in past, even though Windows App Certification Kit (WACK) shows PASS with WARNING, does not mean its 100% verify success

enter image description here

You have to purchase EV certificate (https://www.globalsign.com/en/code-signing/)

So, to be 100% success, Follow the spoon feed:

Step 1: go to https://sysdev.microsoft.com and login

a) Create a company account > next

b) Download winqual.exe file which is as zip file provided by microsoft, now sign the winqual.exe with your standard certificate or EV certificate and then click next to upload the file for validation.

In my case it failed because i have standard certificate which Microsoft stop allowing anymore. So all of you have to do now is to buy EV license else you are screwed, and can spend your lifetime solving this problem without any clue.

enter image description here

Answer by Daniel for How to pass the smart screen on Win8 when install a signed application?


Unfortunately I don't have enough rep to simply comment on one of the above answers. However, if you specify partial trust for your published app (I chose Internet zone) and have a code signing cert in place, no smart screen warning is displayed (checked on Win10).

Answer by Luciano Arruda for How to pass the smart screen on Win8 when install a signed application?


I sign my application in an automated manner using an EV certificate on a token ( GlobalSign ) . Use a .bat file. in the ".bat" file , type ex: (For sha1)

SignTool.exe sign /n "Exact Enterprise name in the cert - token" /t "http://timestamp.globalsign.com/scripts/timstamp.dll" "c:\Patch_to_file\Filename.exe"  

The "Exact Enterprise name in the cert - token" should be the exact name that is in the certificate ( token)


Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\XAMPP INSTALLASTION\xampp\htdocs\endunpratama9i\www-stackoverflow-info-proses.php on line 72

0 comments:

Post a Comment

Popular Posts

Powered by Blogger.