About Windows Scary Warnings and Code Signing Certificates

September 17, 2019

Hi everyone!

If you have attempted to download and install VGC Alpha, you may have encountered quite a few scary warnings, making the installation process very far from pleasant. Even worse, the installation might have even failed due to your antivirus getting in the way (see here for details).

Are the installers safe to run?

As long as you download the VGC installers from https://www.vgc.io, you can safely run them despite the warnings: just ignore the warnings, following the steps illustrated in the image above. The "HTTPS" in the URL address ensures that no third party could have maliciously tampered with the download by adding a malware. You know that you're using HTTPS if you see a "lock icon" in the address bar:

If the installer fails, please try again a few times: the first failure may be because your antivirus didn't have enough time to verify that there are indeed no viruses. At a last resort, you can try to install VGC with your antivirus disabled (in which case I recommend to turn off your Wifi/Ethernet connection first: the VGC installer doesn't need Internet anyway). Note that I generally don't recommend turning off your antivirus: please re-enable as soon as VGC is installed, and before visiting any websites.

If you've encountered any of these installation problems, I would appreciate if you let me know in the comments or at support@vgc.io which version of Windows you are using, which antivirus you are using, and whether turning off the antivirus helped.

Why the warnings if the installers are indeed safe??

The reason for the scary warnings is that I am not yet doing something called "code signing" on the installers I provide. Code signing is a process where a trusted third party called a "Certificate Authority" (= DigiCert, VeriSign, Sectigo, ...), or CA for short, issues to a publisher (= VGC Software) a "code signing certificate", which is a set of cryptographic keys used to prove the identity of said publisher. Then, when Windows, your web browser, or your antivirus encounters an installer or any other program (= "VGC Alpha Installer.exe") , it can ask the CA whether it was correctly signed by the publisher.

This process is meant to make it harder for bad people to infect your computer with malware. The problem is that it also makes it more complicated for small teams and individual developers to publish their software without having these scary warnings. The reason is that getting a certificate costs money. Quite a lot of money, in fact. Here is a screenshot from one of the most popular/trusted CA:

Yes, you've read that right: "As LOW as $474/year". If you find that sentence outrageous, you're not alone. All they do is basically checking that your company exists, give you a phone call for added verification, and then have a server in place to automatically compute a few multiplications between prime numbers when the Microsoft server asks them if the signature is valid.

A lot of people complain about this system, which is especially unfair to small open-source projects, such as Notepad++, who decided not to use Code Signing anymore since March 2019.

Fortunately, there actually exist cheaper options, and I just ordered a certificate for $67/year from K Software, a reseller of Sectigo certificates, where Sectigo is one of the reasonably trusted Certificate Authority. I decided that this was a reasonable price to pay to remove those pesky warnings. $67/year is around 1.5% of your donations: thank you!

But the annoying part is: even doing this, I have no guarantee that you still don't get a warning. Indeed, even bad people can get a certificate, so Windows uses a "reputation system" in addition to verifying the certificate. How exactly this reputation system works isn't publicly known, but basically if very few people download a given program (which is the case for VGC alpha versions), it is quite likely to get a warning anyway. A slightly less obnoxious warning, but still.

A solution to bypass the reputation system would be to use a so-called "EV Code Signing Certificate", instead of the more standard "OV Code Signing Certificate" which I ordered. Unfortunately, not only these are even more expensive (around $250-$700 per year, which means 5%-14% of your donations...), but they require the use of a physical cryptographic USB key to sign the installers, which makes it way less convenient (or even impossible), to use when using Cloud-based servers like I do. So I'll stick to OV certificates for now and see how it goes.

Conclusion

I am still waiting for the verification process to be complete before I can use the certificate I ordered, and then I'll have to write some code to use the certificate to sign each of the installers as part of the automatic compilation and release process I have in place. Until then, please ignore the warnings :-)

Once again, thank you for your donations! There are very concretely useful for this specific issue.

Cheers,

Boris