問題描述
EV 代碼簽名證書或 Microsoft Authenticode 的代碼簽名證書 (EV Code Signing certificate or Code Signing Certificates for Microsoft Authenticode)
我開發了一個免費的個人理財應用程序。這對我來說是一種愛好。我在我的網站上有它可供下載。http://moneyble.com/download/
我經常(每月一次或所以)發布一個新版本。因此文件的哈希值發生變化。
當從我的網站下載文件時,瀏覽器會顯示警告,指出該文件不常被下載並且可能存在危險。同樣在 Windows 8 機器上彈出 SmartScreen 警告。
這兩個警告都會殺死所有嘗試下載我的軟件的新用戶。
我閱讀了一些關於代碼簽名的文章並意識到我必須購買代碼簽名證書。為發布我自己的軟件的權利向微軟付費聽起來很愚蠢。就像他們擁有互聯網一樣。但無論如何......他們制定了規則。
問題:
我應該花 500 美元購買 EV 代碼簽名證書嗎?
或
我可以購買更便宜的(100 美元到 200 美元)Microsoft Authenticode 證書並仍然擺脫這兩個警告(下載和 SuckScreen)嗎?
我的 exe‑s 目前在 MS 中沒有聲譽。我經常更新 exe‑s。用戶群從 0 開始緩慢增長。
任何人在現實生活中都有類似的經歷嗎?
仍然不知道如何簽署 zip 包。我也提供了我的程序的便攜式安裝。如果您在 Google Chrome 上下載便攜式 zip 包 ‑ 它會顯示一條令人討厭的消息“Moneyble.zip 不常下載並且可能很危險”。該包中的 exe 已簽名。但這沒有幫助。IE沒有這個問題。這只是 Google Chrome 的問題。
如果有人對如何分發便攜式安裝有建議 ‑ 我將非常感激。
如果您想檢查警告,請從以下位置下載安裝程序之一: http://moneyble.com/download/
參考解法
方法 1:
I've just written up a couple of blog posts on this very topic. The following three screenshots are illustrative of the progression from unsigned through standard Authenticode certificate to EV Authenticode certificate:
No digital signature 
Signed with standard Authenticode certificate from DigiCert 
Signed with EV Authenticode certificate from DigiCert 
So unless you can amass whatever critical volume of users Microsoft deems to mean that your program is commonly downloaded, an EV certificate is the fastest way to remove the SmartScreen warnings for all users. For what it's worth, the DigiCert hardware token was very easy to use through the Windows Certificate Manager, but the $450 it cost us is admittedly quite expensive, especially for a hobby.
方法 2:
Certification authorities only issue an Extended Validation certificates to developer on condition that the request is on behalf of a recognised organisation for whom the developer is providing a paid service to.
Developers may apply for non‑EV code signing certificates for their own use.
To learn more, try this link:
https://cabforum.org/audit‑criteria/
方法 3:
The purpose of paying is not stupid as it serves the entire community. The certificate is a way to ensure you are who you say you are. EV certificates require a more thorough validation.
The are cheaper EV Certificates (I think the cheapest one is Commodo's $319 per year). EV Code Signing certificate won't omit all warning as they are a result of other factors such as how many people have downloaded your software, but it will get you the minimum warnings when someone downloads your software. So I would go with the EV option. I also wrote an article about how to use it programmatically.
方法 4:
Just found this a few months ago, free authenticode code signing certificate (partly manual verification etc.) especially for open source developers individuals but also for teams / projects (need to apply for each project) at a company in austria (not aussies) called signpath.
ajs of july 2022 it is still valid / offered / available:
https://about.signpath.io/product/editions
they speak about vim for windows as one of a project that is making use of their offer and I think I originally found it at some distribution of some openjdk or related binary packages and whatnot. enjoy.
(by Sergei Overko、Rich Pollock、Eugene Balabanov、Michael Haephrati、amacnewbie)