I developed a free personal finance application. It is a hobby for me. I have it on my website for download. http://moneyble.com/download/
I frequently (once a month or so) release a new version. So the file's hash changes.
When the file is downloaded from my website the browser displays a warning that the file is not commonly downloaded and can be dangerous. Also on Windows 8 machines SmartScreen warning pops up.
Both these warnings are killing any new users who try to download my software.
I read some articles about Code Signing and realized that I have to buy a Code Signing Certificate. It sounds stupid to pay Microsoft for the right to release my own software. Like they own the Internet. But anyway... they set the rules.
Question:
Should I spend $500 on EV Code Signing Certificate?
or
Can I buy a much cheaper ($100-$200) Microsoft Authenticode Certificate and still get rid of both warnings (Download and SuckScreen)?
My exe-s currently have no reputation with MS. I update exe-s frequently. User-base is slowly growing from 0.
Anybody has real-life similar experience?
Still don't know though how to sign a zip package. I provide a portable install of my program as well. If you download portable zip package on Google Chrome - it displays a nasty message "Moneyble.zip is not commonly downloaded and could be dangerous". Exe within that package is signed. But it does not help. IE does not have this problem. It's only Google Chrome's issue.
IF anyone has suggestions on how to distribute portable installations - I would really appreciate it.
If you want to check warnings download one of the installers from: http://moneyble.com/download/
I've just written up a couple of blog posts on this very topic. The following three screenshots are illustrative of the progression from unsigned through standard Authenticode certificate to EV Authenticode certificate:
No digital signature
Signed with standard Authenticode certificate from DigiCert
Signed with EV Authenticode certificate from DigiCert
So unless you can amass whatever critical volume of users Microsoft deems to mean that your program is commonly downloaded, an EV certificate is the fastest way to remove the SmartScreen warnings for all users. For what it's worth, the DigiCert hardware token was very easy to use through the Windows Certificate Manager, but the $450 it cost us is admittedly quite expensive, especially for a hobby.