I've developed a product called the Mathematical Keyboard, which is a compact keyboard designed to help users type math symbols quickly across various applications, not just in equation editors. To enhance its functionality, the keyboard relies on a lightweight background companion app built with AutoHotkey. This app listens for specific keyboard shortcuts and inserts Unicode math symbols effortlessly across the system. While I've made the app open-source and available on GitHub, I'm facing an issue with Windows SmartScreen. When users download the .exe file, they encounter a warning stating 'Windows protected your PC' due to it being from an 'Unknown publisher.' This understandably deters non-technical users from proceeding with the installation. I've been exploring code signing as a potential solution, but I'm finding that obtaining a signing certificate can be quite costly for a niche project like mine. It's also clear that simply signing the app does not instantly remove the SmartScreen warning—as the application needs to accumulate a download reputation over time. I'm reaching out for advice from those with experience in distributing Windows software: Is there a way to effectively remove the SmartScreen warning without investing in an expensive certificate? Would options like packaging the app differently, distributing through the Microsoft Store, or adopting certain best practices help alleviate user concerns? Any insights would be greatly appreciated!
4 Answers
For my project, I found that using Azure Artifact Signing tied into GitHub Actions for automatic signing with every build worked wonders. It only costs $11 a month, and it's pretty straightforward! Just make sure to set up your payment method to speed up the organization verification process.
SmartScreen operates by checking file reputations every time something is downloaded. If a file is unrecognized or hasn’t been downloaded much, the warning appears. Signing your file helps build that reputation even as you update it; the signature carries the reputation, which makes things easier with future updates.
Thanks for the detailed explanation! It’s clear now that signing the app will help it build reputation over time, even with future updates, which definitely makes getting it signed a priority!
It's a common misconception that a standard signing certificate doesn't quickly remove the SmartScreen warning. In my experience, signing your software significantly reduces user fear; the SmartScreen warning should disappear swiftly upon signing. Code signing has gotten pricier lately, especially with the need for hardware modules, but it's worth the investment in the long run. A three-year certificate can really streamline this process.
I appreciate this insight! It's reassuring to know that the warning can disappear with signing. Do you have a specific provider you'd recommend for obtaining a code signing certificate?
You could either guide users through bypassing the SmartScreen warning, get your app signed, or let users know how they can sign it themselves. Alternatively, submitting your app to the Microsoft Store is another route. Just keep in mind that intercepting key presses is sensitive, so user caution is understandable. It's worth noting that the AutoHotkey installer isn't signed either, which can raise flags.
Thanks for clarifying this! I've been telling users to click 'More info -> Run anyway,' but that's not very user-friendly. Getting my software signed seems like the best path forward.
That's awesome! I had no idea about that option! I'll definitely check it out, thanks!