Microsoft SmartScreen marks installers as unsafe

For both ContinuaCI and FinalBuilder the installer exe gets flagged as unsafe by Microsoft SmartScreen.

There is not a lot we can do about this. All our installers are signed with a code signing certificate, served over https.

Microsoft is pushing the use of hardware EV certificates (which are significantly more expensive), unfortunately there is a major issue with them, they are not compatible with unattended automated builds or continuous integration servers. EV certificates require someone to be logged into the machine and interactively authenticate, which is just nuts.

Most unattended builds are run from a windows service, which cannot access the UI (EV certs cause a ui to be displayed).

There have been attempts to run without the UI prompt - however that also has issues. It still requires the usb token to be plugged into the machine. There is no way to export the private key from the usb dongle, so it must be plugged in.

Our build servers are in a shared cage in a data centre 3hrs drive away. I’m not going to leave a usb dongle plugged into the server in such an environment. If we were using cloud servers that wouldn’t even be an option.

FWIW, we did notice this earlier this week, and made submissions to smartscreen to have the files marked as safe, but not sure what effect that will actually have.

1 Like

I can relate to that pain.