在之前的代码签名证书续订后，如何使用 Windows 10 中的 SmartScreen 筛选器保持声誉? [英] How to preserve reputation with the SmartScreen Filter in Windows 10 after previous code-signing certificate renewal?

问题描述

在过去 3 年中，我持有代码签名证书.当我用它签署我的软件时，当从 Internet 下载软件时，签名并没有引起任何 SmartScreen 警告.

I had a code-signing certificate for the last 3 years. When I signed my software with it, the signature did not cause any SmartScreen warnings when the software was downloaded from the Internet.

此证书本月到期，因此我与同一家公司续签了 3 年.

This certificate was expiring this month, so I renewed it with the same company for another 3 years.

它造成的问题是，现在当我签署我的软件时，新证书在 Windows 10 SmartScreen 中没有任何声誉，因此当软件下载并运行时，它会显示此警告:

The issue it created is that now when I sign my software, the new certificate does not have any reputation with the Windows 10 SmartScreen, so when the software is downloaded and run, it shows this warning:

(我已经用它签署我的软件超过 2 周了.警告仍然存在.)

我知道机会渺茫，但有没有办法将此新证书链接到旧证书，以通过 SmartScreen 保留旧证书的声誉?

I know it's a slim chance, but is there a way to link this new certificate to the old one to preserve the old cert's reputation with SmartScreen?

PS.这种证书更新业务"和声誉损失让我在安装软件的次数上付出了沉重的代价.另外，为什么开发者必须为证书续订的声誉损失买单.

PS. This "cert renewal business" and the loss of reputation is costing me dearly in the number of installs of my software. Also, why do developers have to pay with the reputation loss for the cert renewals.

推荐答案

不是您问题的确切答案，但我认为这种方法也可能对您有所帮助:

Not an exact answer to your question, but I think this method might help you as well:

创建一个小型安装程序包，除了从网络服务器下载并运行真正的、最新的安装程序 EXE/MSI(我们称之为辅助安装程序")并运行它之外，什么都不做.

Create a small installer package that does nothing else than download and run the real, up to date installer EXE/MSI from a webserver (let's call it "secondary installer") and runs it.

您可以根据需要随时更新辅助安装程序"，但一定要避免对主安装程序"进行任何更改(重建).

You can update the "secondary installer" as often as you want, but by all means avoid any changes (rebuilds) of the "primary installer".

为什么会这样?

• 您只需对主安装程序进行一次代码签名.只要 EXE 保持原样，它的签名和信誉 是有效的，即使证书本身已过期(过期的证书不会让您签署新代码，但已签署的代码仍然有效).
• Smart Screen 仅检查您的主要安装程序.它显然不关心该程序是否下载并运行其他程序.

• You need to code sign the primary installer only once. As long as the EXE remains as-is, it's signature and reputation is valid even when the certificate itself expires (an expired certificate won't let you sign new code, but already signed code remains valid).
• Smart Screen only checks your primary installer. It apparently does not care if that program downloads and runs other programs.

当然，您的主要安装程序(或者更准确地说，是证书)仍然需要获得声誉，但在那之后，您就做好了.

Of course, your primary installer (or, more exactly, it's certificate) still needs to gain reputation, but after that, you're set.

我使用 Inno Setup 和 Inno 下载插件 来创建这样的主要安装程序"(产生约 700 kb 的安装程序).

I used Inno Setup along with the Inno Download Plugin to create such a "primary installer" (resulting in a ~700 kb Setup).

这篇关于在之前的代码签名证书续订后，如何使用 Windows 10 中的 SmartScreen 筛选器保持声誉?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！