#EV Signed App smartscreen alert

Has anyone encountered issues with their EV Signed Tauri MSIs throwing up a smartscreen error? Despite appearing to be signed correctly when inspected, and being with a reputable CA that's part of Microsoft's trusted roots (https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT) this has seemingly just started happening. We've had no issues with it over the past year 🤔

The one difference seems to be this 'Security' note at the bottom. "This file came from another computer" - Our previous installers don't have this and work fine

haha seems like its the same case (almost) with the unsigned ones

Strange too

except it happens for chrome too

Yeah, which isn't great when it's actually EV signed. I'm testing rebuilding the exact same version which didn't have this issue previously to see if there's something unpinned in the chain that's causing this

I have no problem on my side with EV certificate. I could rebuild later to confirm.

It'd be greatly appreciated if you can try that Corentin. I'm still unsure if it's an issue with our build or if Windows has changed in some way to start flagging these installers. Given that we build with our cargo.lock yarn.lock and have pinned dependencies throughout I'm surprised that I'm not seeing the alert on old installers, but if I rebuild those installers they now have the issue.

I have built for the latest latest beta version of Tauri v2, with the plugins updated to the latest version latest Tauri v2 as well

I have no problem.

I also have "This digital signature is valid"

Bundle .msi is ok too

Very strange, I'll have to keep looking at ours to find the cause. We are on Tauri v1 and won't be upgrading until v2 is stable, perhaps there's something specific to that toolchain. I will update here if I find anything. I might try stripping back our application to a minimal app and see if it still has the smartscreen warning. Merci beaucoup Corentin.

I just upgraded my application a few months ago (fairly recently) to v2, it's true that there are still some breaking changes from time to time, but the Release Candidate should not take long to lock the database of code!

Good luck to you

It's starting to look like a globalsign specific issue. We're seeing a different intermediate certificate used between our working builds and those that trigger smartscreen. It lines up with when Github released a new windows runner.

We ended up getting our certificate reissued which resolved the issue. We also had to install some intermediate certificates on our CI runner.

Longer term we're probably considering moving to Azure Trusted Signing, from testing it 'just works'.

Global Sign does not really have a big reference in the certificate market.. I can advise you Sectigo which is a must on the market, but with the new constraint of requirements since the end of 2023 concerning encrypted physical USB keys which prevents the automation to sign, I would rather advise you to go to the Azure service provider with the Key Vault HSM which can be used in your pipeline. Personally I buy my certificates from signmycode, they have quality support that I have never seen before available 24/7, they are just incredible and on top of that they have a direct relationship with the certificate providers.

Yes you can use Azure Trusted Signing, with a cost of $20 per month, or you can use my github actions that I created recently which uses the AzureSignTool binary under the hood which does the same job. (free)

https://github.com/CrzGames/azure-signtool-action

I'm happy for you then if it works again.

I'm using the azure trusted signing but still get the alert

Even stranger. I tested it out for the first time and didn't get a smartscreen alert, although I know that the azure trusted signing assigns some level of reputation to your identity so perhaps for some reason my identity received a higher reputation?