Last time I used my Code Signing Certificate (CSC) was back in March 2018 where it worked fine. I recently completed a software update and tried to re-sign my setup.exe installation file and signtool.exe reported my password was wrong... This is kind of impossible, as it was a verbatim of the text string used to sign the file back in March. Anyway, this forced me to rekey my CSC. I was then able to successfully sign my setup.exe file. What happens now is completely beyond me... When checking the status of my setup.exe installation file on my PC by right clicking and selecting properties the setup.exe file is found to being digital sign by my CSC. Double clicking to run the file and I get the correct installation message box stating the file was produced by a verified publish, all good so far. However, if I upload the file to my website and then download it via a browser, when I run the downloaded setup.exe file I get a "Windows protected your PC" message, this even through the file properties still show it is signed by my CSC. Two options on the "Windows protected your PC" form are available, exit or "more info". The more info option then shows the file has a CSC by my company. This behavior is clearly wrong as my potential customer would exit at the "Windows protected your PC" warning.
Can one help or point me to a possible solution as it's beyond my skill set now...
Spent and hour or so on the phone talking to GoDaddy technical support and they conformed my file was correctly signed and did not now why when installing my software on a customers PCs that windows 10 showed a "Windows protected your PC" message.
I inquired as to whether-or-not Microsoft had moved the goal posts, and now the use of merely a code signing certificate was not considered adequate protection for the end user's PC? Never really go an answer to this question, Godaddy staff were known committal on this subject, even when pressed several times...
I found this statement on Microsoft's blog:
Digitally sign your programs (Standard or EV code signing)
Reputation is generated and assigned to digital certificates as well as specific
files. Digital certificates allow data to be aggregated and assigned to a single
certificate rather than many individual programs. Although not required, programs
signed by an EV code signing certificate can immediately establish reputation with
SmartScreen reputation services even if no prior reputation exists for that file
or publisher. EV code signing certificates also have a unique identifier which makes
it easier to maintain reputation across certificate renewals. Only Authenticode
Certificates issued by a CA that is a member of the Windows Root Certificate Program
can establish reputation.
These EV certificates are very expensive and having just purchased a 3 year code signing certificate I am wondering if I simply wasted my money?