Good to know: Windows SmartScreen certificate reputation

Assume that you have developed a full-trust Windows desktop application (such as based on WPF) and deployed it using ClickOnce some time ago. Of course, to ensure people trust your application upon downloading or running it, you signed its manifests using a certificate that you’ve purchased from a trusted authority.

Now people are able to run the application just fine, but suppose that the certificate is about to expire. You purchase a certificate renewal and receive its content, sign the ClickOnce app manifests using the new one, and test it, expecting that people can continue to download and run it as before.

In Windows 10/8.1, however, you’ll probably notice that although the certificate information (i.e. your company name and location) is correctly displayed upon trying to download and run the application, the end user is presented with a supplemental Windows SmartScreen filter warning that requires supplemental accept to run the app after the download completes.

It’s important to understand that this behavior is by design and it is caused by the fact that Windows 10 SmartScreen feature determines the reputation of your app mostly based on the reputation of the certificate (along with the file name and download location), and when the certificate is new it will take some time for some people to accept running apps signed with it without reporting them as malicious (or passing specific checks at Microsoft.) After that, the warning will not appear anymore and people can run the apps without the extra step of passing through the filter.

So there is nothing you can or should do about this situation. And the same may apply also when you deploy the signed Windows application using a different channel instead of ClickOnce.

(If you really want you can buy an EV certificate – meaning extended verification – which supposedly has a higher trust level and requires less reputation level, but I haven’t tested this approach myself; I just learned about this from some Web forums, indicated by people who say they discussed the same issue with Microsoft Support staff.)

Advertisements

About Sorin Dolha

My passion is software development, but I also like physics.
This entry was posted in .NET, WPF and tagged , , , , , . Bookmark the permalink.

Add a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s