1

Topic: SmartScreen and certificate CodeSign EV

Hello! Received certificate CodeSign EV from GlobalSign on purpose to bypass appearance SmartScreen. Signed a file, but after loading-start SmartScreen appears. Signed so: signtool.exe sign/a/fd sha256/tr http://timestamp.globalsign.com/?signature=sha2/td SHA256 FileName.exe and so: signtool.exe sign/a/tr http://timestamp.globalsign.com/?signature=sha2/td SHA256 FileName.exe Prompt, please, as it is necessary to sign correctly a file that did not appear SmartScreen. In advance many thanks!

2

Re: SmartScreen and certificate CodeSign EV

Hello, AntonVinnik, you wrote: AV> Prompt, please, as it is necessary to sign correctly a file that did not appear SmartScreen. Some time that the certificate typed a primary rating of trust (some hundreds installations approximately) is required

3

Re: SmartScreen and certificate CodeSign EV

Hello, Ivanoff, you wrote: I> some time Is required, that the certificate typed a primary rating of trust (some hundreds installations approximately) GlobalSign state the reverse: https://www.globalsign.com/en/code-signing-certificate/ DigiCert too: https://www.digicert.com/code-signing/e … igning.htm

4

Re: SmartScreen and certificate CodeSign EV

And here actually from Microsoft: https://blogs.msdn.microsoft.com/ie/201 … tificates/ Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. Other factors are considered when generating reputation and determining product experiences and EV-signed programs will be closely monitored over time. We think the improvements in the vetting and security of these certificates are a great development for both users and developers.

5

Re: SmartScreen and certificate CodeSign EV

Hello, AntonVinnik, you wrote: AV> And here actually from Microsoft: https://blogs.msdn.microsoft.com/ie/201 … tificates/ AV> Programs signed by an EV code signing certificate can immediately establish reputation AV> with SmartScreen reputation services even if no prior reputation exists for that AV> file or publisher. Other factors are considered when generating reputation and determining AV> product experiences and EV-signed programs will be closely monitored over time. AV> We think the improvements in the vetting and security of these certificates are AV> a great development for both users and developers." Other factors "," prior reputation "... Judging by the given text, EV solves, but not all. Probably, given file (is more exact, that its part which does not include the sign-code signature) has been classified SmartScreen as the unknown person earlier and it played a role. Probably, something else. It is necessary to try on  to the pure assembly of the program which in  was not before. AV> signed so: AV>signtool.exe sign/a/fd sha256/tr http://timestamp.globalsign.com/?signature=sha2/td SHA256 FileName.exe AV> AV> and so: AV>signtool.exe sign/a/tr http://timestamp.globalsign.com/?signature=sha2/td SHA256 FileName.exe the Method with/fd more exact. At us certificate GlobalSign (EV), we sign so: signtool.exe sign.../fd SHA256/tr http://timestamp.globalsign.com/?signature=sha2/td SHA256 FileName

6

Re: SmartScreen and certificate CodeSign EV

Hello, AntonVinnik, you wrote: AV> In advance many thanks! At us the certificate for the code signature typed reputation and on new versions does not swear. Probably EV it is not necessary.

7

Re: SmartScreen and certificate CodeSign EV

Hello, AntonVinnik, you wrote: AV> And here actually from Microsoft: https://blogs.msdn.microsoft.com/ie/201 … tificates/ "can immediately establish"! = "immediately establish". However, I am ready to agree, if you have other reasonable explanation to an event.