Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: Deployment Win8 Signing
When users start my application for the first time they get a warning like this[^].
 

Will signing the application prevent this?
Posted 1-Mar-13 8:44am
Edited 1-Mar-13 8:45am
v3
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

After some research using Google search using search key "windows smartscreen prevented an unrecognized app from starting", it looks like signing with a code signing certificate doesn't get rid of it immediately. Based on some of the information in the Google search results, it looks like a Microsoft database is checked (via an Internet connection) and updated with each install of your program. The reputation score for your signing certificate increases over time and eventually the SmartScreen warning goes away. Below are a few of the search results that explain this. The last one shows how to disable the SmartScreen feature although that is not recommended.
 
MSDN Blog
Windows SmartScreen prevented an unrecognized app from running. Running this app might put your PC at risk[^]
 
Stackoverflow.com
How to pass the smart screen on Win8 when install a signed application?[^]
 
How to disable
How to Disable SmartScreen Filter in Windows 8?[^]
  Permalink  
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Signing of the application (I hope you mean signing the application to make it strong named) never modifies its behavior, at least if the application is not modified. This answers your question: it won't help you.
 
However, I recommend to sign all your assemblies if you ever deploy them.
 
The purpose of signing is absolutely different. To some extent, it protects application from modification. If some virus tries to modify the original file, the application won't be executed by the system. However, one can reverse-engineer, recompile and sign the application again, replacing the original one. The signing cannot protect from this, but it's possible to detect the trick if you store the strong name of its public key hash value separately and can compare. This signing uses public-key cryptography:
http://en.wikipedia.org/wiki/Public-key_cryptography[^].
 
Also, strong name is used for assemblies of the Global Assembly Cache. The strong name can be considered as world-unique assembly identity. Please see:
 
http://en.wikipedia.org/wiki/Strong_name[^],
http://en.wikipedia.org/wiki/Global_Assembly_Cache[^],
http://msdn.microsoft.com/en-us/library/wd40t7ad.aspx[^],
http://msdn.microsoft.com/en-us/library/yf1d93sz.aspx[^].
 
—SA
  Permalink  
Comments
Yvan Rodrigues at 1-Mar-13 14:20pm
   
It doesn't modify the application's behaviour, but it the past it has modified how Windows warned users about your application. Specifically, in Windows 7 the UAC warning is not shown if your application is signed. I was hoping this was the Win8 equivalent, but apparently not.
Sergey Alexandrovich Kryukov at 1-Mar-13 14:24pm
   
I don't understand your question. When in the past? What scenario do your consider. Anyway, I'm telling a simple thing: develop and application, compile. Sign it, compile again. They will do the same, exactly.
 
However, I must admit it's not 100% accurate statement. For example, application can output its own string name, then the behavior is "different". :-)
—SA
Sergey Alexandrovich Kryukov at 1-Mar-13 14:25pm
   
No matter how the page "Windows 7 the UAC warning is not shown if your application is signed" is named, do you think this is the true statement? No. Who told you so? It would defeat the purpose of UAC. Try it, to see what happens...
—SA
Sergey Alexandrovich Kryukov at 1-Mar-13 15:04pm
   
[OP commented:]
 
Agreed, allowing certain applications to bypass UAC would be a bad idea and can't be done through white hat methods. The difference is that the UAC message in Win7 shows a yellow "warning" dialog if the application is signed and a friendlier blue one if it is signed.

I was wrong, it is drivers that will not require user intervention if they are signed, not applications.

My application doesn't need write access to any system directories, so UAC isn't an issue, but it looks like SmartScreen will be.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 4

From the IE Blog archive[^]
 
Desktop Apps
 
Desktop applications remain an important part of the Windows experience and Microsoft remains committed to the safety of the desktop experience and our users. We recognize that Internet Explorer (IE) isn’t the only way users download applications from the Internet, so Windows 8 now uses SmartScreen to perform an application reputation check the first time users launch applications that were downloaded from the Internet.
 
This evolution of SmartScreen from IE-only to system wide is a significant improvement for Windows users. We have seen incredible results with this feature in IE9 (more here & here). Hundreds of millions of users have avoided malware infections due to these new experiences and we’re happy to bring this protection to Windows users, regardless of browser choice. For more details on the IE9 application reputation feature and the data models read this post. For more information on security & safety features in Windows 8 (including Windows SmartScreen) read this post.
 
The deeper integration of SmartScreen Application Reputation also means that desktop app developers have an additional motivation to sign their code and establish reputation. We’ve talked in the past about the importance of digitally signing code for both establishing reputation and proving the authenticity of programs. I’m happy to say the development community has responded to this call to action. Since the release of SmartScreen Application Reputation in IE9 we’ve seen a 10% global increase in signed downloads, from 73% at IE9 RTM to >83% today.
 
As we’ve discussed in the past, SmartScreen builds reputation for both individual programs and for the certificate used to sign that code. Code signing is important to our reputation intelligence because this higher level identity allows us to build reputation across multiple programs signed by a publisher. It is also important for publishers because signed programs inherit the reputation of the certificate with which they are signed; this means every program a publisher distributes doesn’t need to build reputation individually.
 
EV Code Signing
 
Today we are announcing our support for an important advance in code signing - the availability of EV code signing Certificates. We’re also announcing that EV code signing certificates will integrate with the SmartScreen Application Reputation technology in Internet Explorer 9, Internet Explorer 10 and in Windows 8.
 
Microsoft has been working with the CA industry over the past year to help make EV code signing certificates available. This code signing standard has a couple of key advancements from a safety and identity perspective. First, they require a more rigorous vetting and authentication process similar to that of EV SSL certificates that are in use today. This process requires a comprehensive identity verification and authentication process for each developer. Secondly, the EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of a code signing certificate.
 
Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. Other factors are considered when generating reputation and determining product experiences and EV-signed programs will be closely monitored over time. We think the improvements in the vetting and security of these certificates are a great development for both users and developers.
 
Starting today, EV code signing certificates are now being issued by Symantec and DigiCert, and the integration with SmartScreen is already live (IE9, IE10 & Win8).
 
Detractors may claim that SmartScreen is “forcing” developers to spend money on certificates. It should be stressed that EV code signing certificates are not required to build or maintain reputation with SmartScreen. Files signed with standard code signing certificates and even unsigned files continue to build reputation as they have since Application Reputation was introduced in IE9 last year. However, the presence of an EV code signing certificate is a strong indicator that the file was signed by an entity that has passed a rigorous validation process and was signed with hardware which allows our systems to establish reputation for that entity more quickly than unsigned or non-EV code signed programs.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 381
1 Sergey Alexandrovich Kryukov 245
2 Marcin Kozub 225
3 Praneet Nadkar 217
4 /\jmot 189
0 OriginalGriff 8,284
1 Sergey Alexandrovich Kryukov 7,407
2 DamithSL 5,614
3 Maciej Los 4,989
4 Manas Bhardwaj 4,986


Advertise | Privacy | Mobile
Web03 | 2.8.1411023.1 | Last Updated 5 Mar 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100