* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Changing certificate providers & W8 SmartScreen

So I saved a couple of hundred $ last month by moving to Comodo (from DigiCert), and made a new release yesterday.

Now the dreaded SmarktScreen is back on W8, which I can only put down to the change in certificate. Worse still is that even if I sign the executable I'm still getting Unknown Publisher (in the past, we only signed the ClickOnce manifest, which is the usual practice for clickone deployments).

There apparently is some mechanism by which you can inform MS of a change in key and move some of your old app reputation - I have spent hours searching for a way to do this today, does anyone have any idea?

I despise MS for the way in which they have implemented this, and that even when you try and jump through every hoop they lay out for you, these issues still arise. Also add to the mix the idea that if people get used to just clicking "run anyway" because of so many false positives (if they can find the option under "more info"), then the whole idea falls apart anyway.

Anyway that was just a rant really, but if anyone has an email address to send this reputation transfer request to I'd be grateful.

Matthew Fender Send private email
Sunday, October 13, 2013
Failing any sort of reputation transfer - does anyone have any idea of the numbers of downloads required before MS decides you are OK again?? Am I going to have to jump through even more hoops (and money) to get an EV cert??
Matthew Fender Send private email
Sunday, October 13, 2013
I have seen this happen for 12-24 hours after signing with the new certificate. It goes away after that.
AK Send private email
Sunday, October 13, 2013
> Worse still is that even if I sign the executable I'm still getting Unknown Publisher

By "executable" do you mean the program or the installer? I sign both and have never had "Unknown Publisher" show in the dialog.
Nicholas Hebb Send private email
Sunday, October 13, 2013

Previously I was signing the setup.exe bootstrapper and the manifest, but not the installed executable itself. This has always been fine.

Since the update, I now get a smart screen warning when the actual executable is run (post install), and it says unknown publisher. I have tried signing this (in the .deploy stage), and if I right click this file I can see certificate info. Still says unknown publisher. When to sign the app exe might be an issue, I'm not sure. I tried signing after I had made the deployment, which I do with a third party tool post-obfuscation.
Just to confuse matters further, I don't actually deploy a new bootstrapper with each release as it is not (usually) required. The one I am still running now is signed with my old key, and does not throw a warning. I tried signing a new one with my new key and did get a warning.

I hate these sorts of problems - 5 hours of my day wasted with so much other work to do..

Matthew Fender Send private email
Sunday, October 13, 2013
ps I desperately want to get away from ClickOnce as a deployment solution - I picked it when I was quite clueless about things, and thought the auto updates would be nice. It causes me a lot of grief - not least the laughable fact that you cannot even windows logo your clickonce application (true at least for W7) - mostly I think because their automatic tool was unable to detect CO installs. Another half day of my life wasted on that before I realised. Apparentyl a W7/8 logo helps with reputation for smartscreen as well.
Any suggestions for to painlessly  transfer to another deployment method?

Matthew Fender Send private email
Sunday, October 13, 2013

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz