Hello
I'm working on an open source, completely free, C++ project. It's built using VS community though I'm not sure if that's really relevant.
Currently when my users download the software, they're presented with a defender warning that the software is untrusted.
I've finished a release and would like to deploy it and I'm struggling to understand how to sign it (so that defender doesn't mark it as unsafe). In truth I'm a little unclear on whether I need to sign the actual software or the installation package - which I made via Inno Setup - which is what MS flags when it's downloaded from the web. I'd be fine to migrate off of Inno and onto a MS equivalent, Inno's primary task for me (other than copying files) is launching the MS VC++ redistributable.
I didn't notice these issues during development, something about downloading the executable from the web triggers the defender warning in a way that a local network copy doesn't (even when shared over network to a VM).
I understand that there are some companies that will sell a certificate to help establish trust, but I'm not sure what a zero-budget indy dev is supposed to do. I'm working on software for academic research and we really don't have money.
I could write this stuff in python of javascript and avoid signing issues, but the project really wants high performance, and (frankly) I really enjoy writing in C++. I was able to find a way for google to agree to review my software to prevent chrome from flagging it as untrusted upon download, but I'm concerned that my less-savvy users will really struggle with the MS warning that it might be unsafe.
Does anyone have tips on how to establish trust without some $$$ to grease the wheels? Is there maybe some MS program to help aspiring devs who are working for public good and not private cash?
Thanks!
Dave