Score:1

Signed Installer Downloads Unsigned Executable

cn flag

Context:

I'm designing a deployment process for a Windows 10 desktop application that will run on client machines. There are two programs: an app and an installer which downloads and installs the app. It's important that clients never see any scary security warnings. The installer is signed with an Extended Validation (EV) Certificate, so it doesn't trigger Windows SmartScreen. The app is not signed by any certificate but, in testing, Windows 10 doesn't seem to complain when the user runs the app.

Questions:

  • Does Windows SmartScreen consider the unsigned app safe because it wasn't downloaded by a web browser?
  • Can I depend on this behavior and forego code signing the app?
Not My Question:

I'm not asking if I should sign the app for other reasons, I know I should. Only asking about Windows SmartScreen security warnings.

Supporting References:

Based on these references, it seems SmartScreen may only care about executables downloaded from a web browser? "Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious..." "Checking downloaded files..." ​"SmartScreen checks files that you download from the web..."

Ginnungagap avatar
gu flag
SmartScreen is an opaque system as most Microsoft stuff is, ask Microsoft how it works and if your binary might get flagged at some point. Or just sign it to reduce chances of it happening but just as Apple has OCSP failures that brick macOS machines, Microsoft will have issues with SmartScreen at some point or another.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.