Login/Register
Microsoft SmartScreen - suspended using Inno Setup installer?
Asked Answered
Solved windowsinno-setupcode-signingsmartscreen
I

3

12

I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe

Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.

enter image description here

I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.

enter image description here enter image description here

Here you can find the output, where its showing WARNINGS on Inno Setup exes:

https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub

How can I fix this problem?

(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)

To verify if it's Inno Setup or code signing issue (see https://mcmap.net/q/103517/-how-to-pass-the-smart-screen-on-win8-when-install-a-signed-application), I have done following:

  1. From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.

  2. I code signed the winqual.exe and uploaded to my same server

  3. I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.

Does it make any sense now if Inno Setup is the main cause of this problem?

Indigotin answered 16/3, 2015 at 0:21 Comment(0)
K
3

Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.

Below is the original answer, which addresses some specifics of the question.

If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.

Quoting SignTool directive documentation:

Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.

If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:

@echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1

The calls need to be in this order, otherwise the editbin.exe breaks the signature.

Then use the sign.bat instead of signtool.exe in the SignTool directive.

Though I do not really think this is necessary, nor helps anything.

Kedge answered 16/3, 2015 at 8:34 Comment(0)
L
1

I think this is normal behavior. When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.

It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).

Legionary answered 16/3, 2015 at 5:14 Comment(1)
I have been waiting for 2 weeks. That is not normal waiting time + i have mentioned that when i used slappy.exe which was not made by innosetup and applied with code sign it works. So it does not still tells me "likes" = downloadsIndigotin
B
0

You do NOT need this "Windows Application Certification Kit".

What @slappy says is correct:

After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.

What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).

It will most likely say "This download may be dangerous and has been blocked".

Then you can choose "Keep anyways". And then you can choose "Report as Secure".

And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".

Install it on your computer! I think that is important.

I have used 5 different computers and reported my apps as secure multiple times and installed it.

I have also asked 2 friends (because of their different IP address) to do the same.

I hate this so much!!!!!!!!!! After 1 day, the error message was gone.

Bastia answered 25/7, 2021 at 23:17 Comment(1)
I have not seen "Then you can choose "Keep anyways". And then you can choose "Report as Secure"., but perhaps that's because I'm downloading a .zip archive, which Microsoft EDGE on Windows 11 ALLOWS, but then just trying to open the .zip archive sets off SmartScreen. My Inno Setup created installer, signed by my OV certificate, also sets off SmartScreen. But I'm not sure I can sign using the EV certificates they send on encrypted USB drives: apparently, some certificate providers won't allow automated command line access without interactive signing...Montgomery

© 2022 - 2024 — McMap. All rights reserved.