I am working on an ASP.NET WPF Desktop Application and have created a Setup Project to generate an MSI installer. However, when I share the MSI file, users get security warnings like:
"This file may be harmful to your PC"
OR
"This file may contain a virus"
To resolve this, I tried using a self-signed certificate for code signing, but the warning still appears. I tried:
- Self-signing the MSI file using signtool.exe
- Checking for any antivirus flags.
- Researching paid Code Signing Certificates, but they are not budget-friendly.
Is there any free or low-cost way to sign the MSI file properly? and How can I distribute my MSI file without triggering these warnings?
I am working on an ASP.NET WPF Desktop Application and have created a Setup Project to generate an MSI installer. However, when I share the MSI file, users get security warnings like:
"This file may be harmful to your PC"
OR
"This file may contain a virus"
To resolve this, I tried using a self-signed certificate for code signing, but the warning still appears. I tried:
- Self-signing the MSI file using signtool.exe
- Checking for any antivirus flags.
- Researching paid Code Signing Certificates, but they are not budget-friendly.
Is there any free or low-cost way to sign the MSI file properly? and How can I distribute my MSI file without triggering these warnings?
Share Improve this question edited Mar 18 at 9:56 MANSI asked Mar 17 at 17:04 MANSIMANSI 593 silver badges8 bronze badges2 Answers
Reset to default 1Azure Trusted Signing seems to be one of the best and (possibly) least expensive ways to sign packages today.
Self-signing will not help you (outside your own computer if you trust the cert). And, honestly, trust for new packages sometimes requires many people to download it safely to build a reputation that the cert is "good and safe". Trusted Signing supposedly helps as well.
You need to obtain a code-signing certificate with Extended Validation (EV) in order to have a hope of not getting flagged by most screening systems. You also need to obtain reputation by having a certain number of downloads of your signed files, though in my experience it doesn't take all that much.
Unfortunately this is quite expensive and a hassle as you have to provide corporate documents proving you're an actual business entity, and they will probably want to call your registered office, etc.
I can't vouch for Azure Trusted Signing but if they're not verifying your entity status then it won't be EV, and thus won't have the maximum level of trust needed to remove those warnings.
Globalsign is the one I use.