About Windows Scary Warnings and Code Signing Certificates

September 17, 2019

Hi everyone!

If you have attempted to download and install VGC Alpha, you may have encountered quite a few scary warnings, making the installation process very far from pleasant. Even worse, the installation might have even failed due to your antivirus getting in the way (see here for details).

Are the installers safe to run?

As long as you download the VGC installers from https://www.vgc.io, you can safely run them despite the warnings: just ignore the warnings, following the steps illustrated in the image above. The "HTTPS" in the URL address ensures that no third party could have maliciously tampered with the download by adding a malware. You know that you're using HTTPS if you see a "lock icon" in the address bar:

If the installer fails, please try again a few times: the first failure may be because your antivirus didn't have enough time to verify that there are indeed no viruses. At a last resort, you can try to install VGC with your antivirus disabled (in which case I recommend to turn off your Wifi/Ethernet connection first: the VGC installer doesn't need Internet anyway). Note that I generally don't recommend turning off your antivirus: please re-enable as soon as VGC is installed, and before visiting any websites.

If you've encountered any of these installation problems, I would appreciate if you let me know in the comments or at support@vgc.io which version of Windows you are using, which antivirus you are using, and whether turning off the antivirus helped.

Why the warnings if the installers are indeed safe??

The reason for the scary warnings is that I am not yet doing something called "code signing" on the installers I provide. Code signing is a process where a trusted third party called a "Certificate Authority" (= DigiCert, VeriSign, Sectigo, ...), or CA for short, issues to a publisher (= VGC Software) a "code signing certificate", which is a set of cryptographic keys used to prove the identity of said publisher. Then, when Windows, your web browser, or your antivirus encounters an installer or any other program (= "VGC Alpha Installer.exe") , it can ask the CA whether it was correctly signed by the publisher.

This process is meant to make it harder for bad people to infect your computer with malware. The problem is that it also makes it more complicated for small teams and individual developers to publish their software without having these scary warnings. The reason is that getting a certificate costs money. Quite a lot of money, in fact. Here is a screenshot from one of the most popular/trusted CA:

Yes, you've read that right: "As LOW as $474/year". If you find that sentence outrageous, you're not alone. All they do is basically checking that your company exists, give you a phone call for added verification, and then have a server in place to automatically compute a few multiplications between prime numbers when the Microsoft server asks them if the signature is valid.

A lot of people complain about this system, which is especially unfair to small open-source projects, such as Notepad++, who decided not to use Code Signing anymore since March 2019.

Fortunately, there actually exist cheaper options, and I just ordered a certificate for $67/year from K Software, a reseller of Sectigo certificates, where Sectigo is one of the reasonably trusted Certificate Authority. I decided that this was a reasonable price to pay to remove those pesky warnings. $67/year is around 1.5% of your donations: thank you!

But the annoying part is: even doing this, I have no guarantee that you still don't get a warning. Indeed, even bad people can get a certificate, so Windows uses a "reputation system" in addition to verifying the certificate. How exactly this reputation system works isn't publicly known, but basically if very few people download a given program (which is the case for VGC alpha versions), it is quite likely to get a warning anyway. A slightly less obnoxious warning, but still.

A solution to bypass the reputation system would be to use a so-called "EV Code Signing Certificate", instead of the more standard "OV Code Signing Certificate" which I ordered. Unfortunately, not only these are even more expensive (around $250-$700 per year, which means 5%-14% of your donations...), but they require the use of a physical cryptographic USB key to sign the installers, which makes it way less convenient (or even impossible), to use when using Cloud-based servers like I do. So I'll stick to OV certificates for now and see how it goes.


I am still waiting for the verification process to be complete before I can use the certificate I ordered, and then I'll have to write some code to use the certificate to sign each of the installers as part of the automatic compilation and release process I have in place. Until then, please ignore the warnings :-)

Once again, thank you for your donations! There are very concretely useful for this specific issue.



Stay tuned

Found this news interesting? We can send the next ones straight to your inbox (around twice a month). Or we can simply let you know when VGC 1.0 is released. No spam guaranteed. You can unsubscribe at any time.

Become a sponsor

Excited about VGC? Join the sponsorship program to help us make it happen!

Indeed, we made the choice to be funded by future users like yourself rather than business investors, to ensure that your interests always come first.

How does it work?

For only $1 per month (Bronze Sponsor), you get instant access to all exclusive news as well as all alpha and beta versions of VGC. This allows you to try out VGC right now, which is a unique opportunity to provide early feedback and shape the tools the way you want them to be. Welcome to the team!

For $3 per month (Silver Sponsor), you also get a perpetual license key for the upcoming VGC Illustration 1.0 and VGC Animation 1.0. Higher amounts (Gold Sponsor and above) also give you software upgrades for up to 10 years! It's basically like pre-ordering VGC at a discounted early bird price.

You can either pay in USD via Patreon, or in EUR via Tipeee. You can cancel your monthly payments at any time, and still keep your rewards, no questions asked: we trust you to contribute for a number of months which seems fair to you. Alternatively, you can also choose to make a one-time payment via Paypal rather than monthly contributions. Just click on the chosen button and follow the instructions. Thank you!