Reputation with OV certificates and are EV certificates still the better option?

Question

Hi, I'm an indie developer writing an Electron application. I've registered a cooperation in Canada a few months ago and I purchased an OV certificate for my software.

The poor wording of the Windows Smart Screen Defender makes most of my non-technical users think he just downloaded a malware application.

Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

Also the hidden "More Info" button in the dialog doesn't help at all. So my OV certificate is basically useless because it scares off the potential customers. At the same time I need a few hundred or thousand downloads for the message to disappear. That makes absolutely no sense. And I can't just sit this out because most customers will not come back a second time after that experience.

I understand the motivation but its poorly executed and indie developers like me are screwed because of this. I already submitted my application twice through the Windows "File Submission" form. So my questions are...

1) What can I do to speedup the process?
2) Are EV certificates still the better option? Do they still get the "instant" reputation these days? An agent at DigiCert mentioned this is not the case anymore.

Any help from the MS team is highly appreciated!

Answer 1

HI Sebastian-5089,

Thanks for your waiting.

1.I've registered a cooperation in Canada a few months ago
Do you mean you have registered a business company in Canada? If the answer is yes, I think EV certificate is available.

2.Are EV certificates still the better option?
yes. If there is signed driver file included in your electron application, EV code signing certificate is required to establish a Windows Hardware Dev Center dashboard account.

"Signing your code is not required to earn a SmartScreen reputation, but EV-signed code’s extra level of trust lets developers skip this hurdle altogether:

An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”
Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.”

Do they still get the "instant" reputation these days?
From below document and I think it will be come true, we can contact SSL third party certificate company.

Which Code Signing Certificate do I Need? EV or OV?
https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

I have been distributing apps signed with OV certificates for over a decade and can say that they are not meant to be a quick way to avoid SmartScreen warning.

1. An OV certificate thumbprint takes a very long time to gain reputation (it could be years, plural!)
2. Apps can also establish a reputation of their own, and according to Microsoft Security intelligence, once they've attained that reputation (through downloads) then SmartScreen should not flag them with a warning.
3. An app that has established a (positive) reputation and is signed by an OV certificate whose thumbprint has not established a reputation WILL result in a SmartScreen warning.
4. Any app, with or without an established reputation, signed with an OV certificate whose thumbprint has established a reputation will NOT result in a SmartScreen warning.
5. Most importantly, apps establish a reputation based on downloads (and their hash), which means that updates to the app will not have the same hash (and therefore will not have /inherit a/the reputation).

By deduction, it is ideal to have an OV certificate whose thumbprint has established a reputation. Unfortunately, there is neither guidance on how build an OV certificate reputation nor on how to check OV certificate reputation.
EV certificates on the other hand have a reputation built in (usually takes a few days before SmartScreen recognizes the thumbprint as opposed to, probably, years for an OV).

Answer 3

Unfortunately, EV certificates either require manual interaction to sign with a hardware token, impractical for modern CI pipelines, or external platforms like eSigner which costs $1,000's/month if you're signing multiple applications multiple times a day, or CloudHSM platforms, which also cost $1,000's/month. So EV certificates are not an option unless you are earning significant revenue, or can sign builds manually. Seems like there's no middle ground.

Answer 4

HI Sebastian-5089,

Is there anything to help you?

Answer 5

HI Sebastian-5089,

Is there any progress on your question?