Let us say you are an independent developer and it is time to publish your app to the world. To make it easier, you build an installer and start distributing it. A courageous early adopter downloads and runs it, only to be greeted by this strongly worded warning:
Indeed, in today’s Windows environment, Microsoft actively blocks binaries from running; thanks to “SmartScreen”.
But what is SmartScreen?
SmartScreen collects installation data from all Windows users in order to establish “reputation”. If the program does not have an established good reputation, you get this big warning message. By this time most users have deleted the .exe already thinking it is a malware, but SmartScreen can be bypassed by clicking on “More info” then “Run anyway”.
The digital signature racket
But how do you build reputation? First of all, Microsoft needs to be able to gather information on who has published the app, and this is done by a code signing certificate. The most obvious implication is that unsigned apps will always trigger SmartScreen. The more insidious implication is that acquiring a code signing certificate is a big expense for an individual developer. There is currently no “Let’s Encrypt” equivalent to code signing certificates; so you have to purchase it from trusted authorities. The price range is wide but a certificate only valid for a year will typically go for about $100.
But let’s say you bite the bullet, you buy yourself an overpriced piece of prime numbers generated by a computer, sign your code and re-publish your application. You can now start getting users to install your app right? Wrong.
Building reputation is a catch 22
Even with your newly digitally signed application, SmartScreen will still trigger. After all you are an unknown new publisher, and the “building up reputation” part of SmartScreen is a complete blackbox. So here’s the catch 22: to build up reputation, you need people to install your software so that Microsoft collects data. To get users to install your software, they need not be greeted by a message that strongly suggests your piece of code will harm their computers.
It gets worse.
If you try to publish your piece of software with WinGet (in a nutshell: what will probably replace the Windows Store once it gets out of beta), you will get this message from Microsoft:
In the words of Microsoft, your application is considered a malware if it triggers SmartScreen. They link to a potential solution in the form of submitting your file for review through a dedicated link. If you follow all this process, this is the response you will get:
We’ve reviewed your submission and we’ve confirmed that the submitted files are clean. Windows Defender Antivirus doesn’t report them as malware.
The message you observed is a notification from Windows Defender SmartScreen indicating that the application does not have known reputation in our system.
Application reputation warnings are meant to inform end users when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown”. Please note that users can still proceed to download and run the application.
In most cases, a digitally signed application will establish reputation organically, unless something has happened to denigrate existing reputation such as being used to sign malware. We will investigate this issue further and contact you if we need additional information.
In essence: your app is clean but we won’t do anything about the SmartScreen error. Our cloud bots overlords will decide when it is fine for you to be trusted.
And it still gets worse.
Let’s say you finally get accepted by the algorithms that be as a trusted publisher. Your certificate is about to expire and you renew it. Simple “business as usual” in the world of the Internet. In the world of Windows software though, that means that your reputation is reset back to nothing. Certificate renewal is not recognized by SmartScreen, it considers yourself as a new publisher again you have to go through this painful process yet another time.
This can be mitigated by purchasing a certificate with a longer validity period, but at this point the cost simply becomes an insurmountable barrier for most independent developers.
EV Code Signing Certificates
For independent developers, this is the end of the road. For publishers, there is another solution: Extended Validation Code Signing Certificate. Signing code with one of these will automatically bypass SmartScreen. It is reserved for corporations only and as the name suggests it is subject to additional background checks done by certificate authorities.
Digicert.com, a popular CA for code signing certificates, sells them for a whopping $699 a year.
As an independent developer, a solution would be to go through the troubles of incorporating a sole proprietary company and fork out the outrageous prices that these certificates command. Of course, that isn’t a realistic endeavor for most.
“Developers, developers, developers!”
“Developers, developers, developers!” was a cry from Steve Ballmer and one of the speeches that defined him as CEO of Microsoft. These infamous words were uttered back in 2006. Fourteen years later, under Satya Nadella, Microsoft is being praised for becoming more open than ever. Ironically, it seems that Microsoft made its Windows environment extremely hostile towards their beloved developers. A change in SmartScreen or on the way certificates work is needed to turn around this dire situation.