Reputation with OV certificates and are EV certificates still the better option?

Sebastian 41

Hi, I'm an indie developer writing an Electron application. I've registered a cooperation in Canada a few months ago and I purchased an OV certificate for my software.

The poor wording of the Windows Smart Screen Defender makes most of my non-technical users think he just downloaded a malware application.

Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

Also the hidden "More Info" button in the dialog doesn't help at all. So my OV certificate is basically useless because it scares off the potential customers. At the same time I need a few hundred or thousand downloads for the message to disappear. That makes absolutely no sense. And I can't just sit this out because most customers will not come back a second time after that experience.

I understand the motivation but its poorly executed and indie developers like me are screwed because of this. I already submitted my application twice through the Windows "File Submission" form. So my questions are...

1) What can I do to speedup the process?
2) Are EV certificates still the better option? Do they still get the "instant" reputation these days? An agent at DigiCert mentioned this is not the case anymore.

Any help from the MS team is highly appreciated!

101216-windows10-smartscreenblocked1-e1577961749377.png

Andy YOU 3,071 Reputation points

2021-06-01T07:17:57.683+00:00

HI
I am researching your issue, thanks for your waiting.
Sebastian 41 Reputation points

2021-06-01T13:20:42.623+00:00

Hi @Andy YOU , Thanks for your help!
Sebastian 41 Reputation points

2021-06-04T19:28:16.09+00:00

@Andy YOU Are there any news on this? I still get the issue on small updates. This is really urgent for us. Thank you!
Michael Lee 0 Reputation points

2023-02-18T16:04:44.5+00:00

I could have easily written this exact same concern -- verbatim.

Quite literally forcing one to purchase an EV certificate just to to bypass the Microsoft Defender SmartScreen warning is unreasonable. A basic OV certificate should, at the very least, bypass such a warning. The "More info" link is very obscure, and just adds to the confusion and concern.

"Reputation" based on the number of downloads is naïve and dangerous. "Popular" does in no way equate to safe!

Accepted answer

Andy YOU 3,071 Reputation points

2021-06-07T02:07:27.81+00:00

HI Sebastian-5089,

Thanks for your waiting.

1.I've registered a cooperation in Canada a few months ago
Do you mean you have registered a business company in Canada? If the answer is yes, I think EV certificate is available.

2.Are EV certificates still the better option?
yes. If there is signed driver file included in your electron application, EV code signing certificate is required to establish a Windows Hardware Dev Center dashboard account.

"Signing your code is not required to earn a SmartScreen reputation, but EV-signed code’s extra level of trust lets developers skip this hurdle altogether:

An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”
Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.”

Do they still get the "instant" reputation these days?
From below document and I think it will be come true, we can contact SSL third party certificate company.

Which Code Signing Certificate do I Need? EV or OV?
https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

2 people found this answer helpful.
Sebastian 41 Reputation points

2021-07-02T15:56:35.073+00:00

Hey, sorry for the late reply! Despite my notification settings I didn't receive an update to this thread.

At the moment I plan ahead and submit my executables and installer to https://www.microsoft.com/en-us/wdsi/filesubmission a day prior to release. That seems to work fine.

Thanks for the reassurance about the EV certificates. In less than a year I will have to renew my current OV license so it's enough time to get the EV certificate requirements ready.

Thanks again!

Andy YOU 3,071 Reputation points

2021-07-03T09:30:59.07+00:00

HI Sebastian-5089,

You are welcome! I hope everything goes well.

If there is any Answer is helpful, please click "Accept Answer".

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Juan Miguel Márquez Riquelme 1 Reputation point

2021-07-31T11:58:34.67+00:00

I have exactly the same problem as Sebastian.
It is unbelievable that after purchasing an OV certificate you still need thousands of downloads to clear the SmartScreen message.
How are these downloads supposed to actually happen? If a user gets this screen, they will most probably not proceed with it. This is a complete non-sense.
The idea of the certificate is to identify the software developer. Isn't the OV certificate enough for that purpose?
This is very frustrating. Windows is becoming a dictator. No wonder Mac users are increasing every day.
I do not want to believe that the idea of all this is that someone makes more money.
I will try to get an EV certificate to solve my problem (four times more expensive than an OV certificate) because the the other "reputation building" options are just unreal.
I guess I will have to say thank you for your help.

Nick 0 Reputation points

2023-09-09T12:12:50.2566667+00:00

I think worth adding that in 2023, and despite what CA's advertise, purchasing an EV certificate does NOT give immediate reputation, and SmartScreen will still appear. Submitting exe's to Microsoft for analysis is required to be granted SmartScreen exemption until the EV gains reputation.
Sign in to comment

6 additional answers

Nick 0 Reputation points

2023-09-09T12:08:45.7266667+00:00

**A new EV certificate does NOT give an immediate SmartScreen bypass. **

**
Recently in August 2023 we obtained an EV certificate from Sectigo/Comodo and Yubico hardware HSM, which is now mandatory. We've been code signing for well over a decade with OV's, and as CA's advertise instant reputation with SmartScreen (which is false as it turns out), we decided this time to go that route. We had to request three certificates from Sectigo after they made a typo in the company name first of all (I don't know how that could happen as the CSR was correct) and then there was an issue with the 2nd, and after finally being able to sign correctly with the 3rd certificate, we tested a download of a signed exe. SmartScreen appeared.

**
So caveat emptor, despite what the CA's advertise, an EV does not give immediate trust to an exe. We submit fresh exe's to Microsoft, reporting an incorrect SmartScreen detection, and they quickly get scanned and within typically a few hours a response is received saying that the application will no longer receive warnings with SmartScreen. At the moment for us it also says that the certificate is gaining trust and once it has, signed programs will then be automatically trusted. A dampener to this is that we are submitting four installer exes at a time (in separate submissions), and sometimes only the first completes in a few hours; the others can take hours longer. I wondered if it's because the names are the same, and Microsoft think we're impatient and submitting the same program four times, or whether there is some penalty for "overusing" the service.

An EV might still make sense over an OV, but as we found, the process of getting setup, particularly if under time constraints, and then on an ongoing basis can be pretty stressful and horrible.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Gloria Bradford 0 Reputation points

2023-09-16T18:10:24.83+00:00

I understand your concern about Windows SmartScreen causing issues for your Electron application. Here are short answers to your questions:

To speed up the process, consider gathering more positive feedback, using trusted code signing certificates, and building a reputation for your software.

EV (Extended Validation) certificates used to offer an "instant" reputation boost, but this has changed over time. EV certificates may still help, but they're not a guaranteed solution. You can find more details on the differences between EV and OV certificates in this reference link: Differences between EV and OV Code Signing Certificates.

Ultimately, improving your software's reputation and user feedback may be the most effective way to address the SmartScreen issue.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment