Reality Check on "Unrecognized Applications"

I have packaged a Java application with InnoSetup5 into a Windows setup.exe. When I run the setup file, I get the following message:

[quote]Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
More info
[/quote]
Clicking “More info” allows one to get past this warning. Once past the warning, the Java application is installed on Windows as a “native” Windows program, and the application itself runs without complaint.

I have been trying to better understand what all is involved here. Seems like it would be a good thing to avoid getting this message, if possible. Researching on itch.io (where I plan to publish), I found the following forum response to a question about this warning popping up, and whether itch.io games were safe. The answer is from an Admin there.

[quote]Windows has default security settings that show a frightening warning when you download any executable off that internet that isn’t signed with a paid certificate. You can get around this warning by using our desktop app. Additionally, our desktop app has a sandbox mode that you can use to run games is a environment with restricted settings. https://itch.io/docs/itch/using/sandbox.html

To answer whether games are safe, in general, yes they are. But, keep in mind that anyone can publish a project page on itch.io. You should use the same discretion you use when downloading any program off the internet. If you think something is suspicious then don’t download it and report it. We process reports daily and if we find anything malicious we instantly ban the page.
[/quote]
So, if I understand this correctly:

  1. itch.io customers, when they download a game directly, will get this message unless a paid certificate is involved
  2. if the customer uses the itch.io desktop app, this message does not come up

I’ve also come across the following:

Publishers of apps who say they aren’t going to pay for a certificate, and just explain to the downloaders that they will need to bypass this safety warning (seems like this is actually pretty common)
multiple tiers on paid certificates, e.g., ones that are lower cost but will generate the warning until a “track record” of some undefined sort has been established, and a higher cost (something like $300-400 a year) for a certificate that immediately grants “safety”

Here is an explanation from Microsoft.

I’m still not entirely clear on who one buys these things from and whether you are getting the right thing or not. A lot of searches I have done have turned up certificates pertaining to encryption or to SSL connections, as opposed to whether one’s particular .exe is “recognized” or not. StackOverflow questions more often than not are geared to C++ and C# or other Windows entities such as programs created with Visual Studio.

I’m hoping someone here that is more experienced might be able to explain for the first-time Java app wanna be publisher what the options are and provide some guidance as to process for those options?

For my particular case, I will also be checking in with the forum at InnoSetup. Even though I specified a “Publisher” name to the .iss file, it is not showing up on the Windows Defender “More Info” message. And I assume that if I do end up paying for some sort of certificate (assuming the right thing is found and purchased), I’ll have to ask the folks at InnoSetup how to get it integrated into the setup.exe that is generated.

Thanks!

You may want to google for “code signing certificate” - comodo (the dreadful certificate company) seems to have low-end pricing at $70/year (or 3x $60 for 3 years).

Keep in mind that certificates don’t buy you safety. Like you can get infected through HTTP and through ‘secure’ HTTPS.

The ‘only’ thing such certificates guarantee is that your data was not altered (be it corrupted or infected) after it was signed, and before it is installed.

Thanks, Riven.

Do you know if this also has anything to do with helping get Windows Defender to not give an “unrecognized app” warning?

Ah, so Microsoft is copying Apple now. Great! ::slight_smile: Signed code isn’t a bad idea, but be good to feel this was actually about security and not them controlling the means of distribution. Hopefully we’ll see Let’s Encrypt or similar provide free code signing certificates soon. Keeps coming up!

FYI:
If you ever decide to publish on Steam, you won’t run into that problem.
Installing takes place through SteamPipe, without the need of an install package like Inno Setup.

Grtz, Danny.