如何在之前的代码签名证书续订后保留 Windows 10 中 SmartScreen 筛选器的声誉? [英] How to preserve reputation with the SmartScreen Filter in Windows 10 after previous code-signing certificate renewal?

问题描述

我在过去 3 年中拥有代码签名证书.当我使用它对我的软件进行签名时，从 Internet 下载该软件时，该签名不会导致任何 SmartScreen 警告.

I had a code-signing certificate for the last 3 years. When I signed my software with it, the signature did not cause any SmartScreen warnings when the software was downloaded from the Internet.

这个证书本月到期，所以我又在同一家公司续签了 3 年.

This certificate was expiring this month, so I renewed it with the same company for another 3 years.

它造成的问题是，现在当我签署我的软件时，新证书在 Windows 10 SmartScreen 中没有任何声誉，因此当软件下载并运行时，它会显示此警告:

The issue it created is that now when I sign my software, the new certificate does not have any reputation with the Windows 10 SmartScreen, so when the software is downloaded and run, it shows this warning:

(我已经用它为我的软件签名了 2 个多星期了.警告仍然存在.)

我知道这是一个渺茫的机会，但是有没有办法将这个新证书链接到旧证书以通过 SmartScreen 保持旧证书的声誉?

I know it's a slim chance, but is there a way to link this new certificate to the old one to preserve the old cert's reputation with SmartScreen?

附注.这种证书更新业务"和声誉损失使我在软件安装数量方面付出了沉重的代价.还有，为什么开发者要为证书续期付出声誉损失的代价.

PS. This "cert renewal business" and the loss of reputation is costing me dearly in the number of installs of my software. Also, why do developers have to pay with the reputation loss for the cert renewals.

推荐答案

不是您问题的确切答案，但我认为这种方法也可能对您有所帮助:

Not an exact answer to your question, but I think this method might help you as well:

创建一个小型安装程序包，除了从网络服务器下载并运行真实的、最新的安装程序 EXE/MSI(我们称之为辅助安装程序")并运行它外，什么都不做.

Create a small installer package that does nothing else than download and run the real, up to date installer EXE/MSI from a webserver (let's call it "secondary installer") and runs it.

您可以根据需要随时更新辅助安装程序"，但务必避免对主安装程序"进行任何更改(重建).

You can update the "secondary installer" as often as you want, but by all means avoid any changes (rebuilds) of the "primary installer".

为什么会这样?

• 您只需对主安装程序进行一次代码签名.只要 EXE 保持原样，即使证书本身过期，它的签名和声誉仍然有效(过期的证书不会让您签署新代码，但已签署的代码仍然有效).
• Smart Screen 只会检查您的主安装程序.它显然不关心该程序是否下载并运行其他程序.

• You need to code sign the primary installer only once. As long as the EXE remains as-is, it's signature and reputation is valid even when the certificate itself expires (an expired certificate won't let you sign new code, but already signed code remains valid).
• Smart Screen only checks your primary installer. It apparently does not care if that program downloads and runs other programs.

当然，您的主要安装程序(或者更确切地说，它的证书)仍然需要获得声誉，但在那之后，您就可以了.

Of course, your primary installer (or, more exactly, it's certificate) still needs to gain reputation, but after that, you're set.

我使用了 Inno Setup 和 Inno 下载插件 来创建这样的主要安装程序"(产生大约 700 kb 的安装程序).

I used Inno Setup along with the Inno Download Plugin to create such a "primary installer" (resulting in a ~700 kb Setup).

这篇关于如何在之前的代码签名证书续订后保留 Windows 10 中 SmartScreen 筛选器的声誉?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！