As you'll may know. the current Windows installation process is a bit scary with all the warnings thanks to the Windows Smartscreen system. The solution to this is to sign the Windows executable, but signing the application for windows is a much more scarier process.
I will enter into the details of how the process works in another publication (soon link), but now we need to make some decisions. Here are the facts:
The certificate we need to buy needs to be issued and provisioned by a cloud HSM (Hardware Security Module)
The certificate we bought for 30 days, cannot be issued nor provisioned by a cloud HSM. which means we need to buy a new certificate to start signing our application
We need the HSM to be cloud-based, because this is the only way we can sign the application in our current Github Actions process. We can from CI call to this cloud HSM, sign the artifact and get it back as we do on our current actions.
The pricing for all these things is also scary. you need to pay for the EV (Extended Validation) Code sign certificate, the cloud HSM Access and also you have normally a limited amount of signing included in your plan. It's basically a rip-off.
Because we need a cloud HSM solution, each one has its own restrictions. With DigiCert KeyLocker for example, we get 1,000 signatures per certificate. Only one user can be assigned to the certificate at a time. Additional signatures for the certificate may be purchased separately from the certificate's order details page to enable more signings.
Why Windows SmartScreen Matters
Windows SmartScreen is a security feature built into Windows that protects users from potentially malicious software. When a user downloads or runs an unknown app, SmartScreen performs a reputation check and may display a warning like:
❗ “Windows protected your PC — Microsoft Defender SmartScreen prevented an unrecognized app from starting.”
For developers, this warning is a critical trust barrier — especially for Electron apps, where the installer is downloaded outside the Microsoft Store.
The proper solution
In order to "Fix" the Windows Smartscreen issue, we need:
EV Code signing certificate:
Cloud HSM access (Digicert KeyLocker)
Github Actions Integration (our code)
This is the Digicert offering
With all these, I'm certain we can avoid the Smartscreen warning from day one, this means no more scary installation process for windows for a year or 1,000 App versions.
Other less secure solution
Another solution we have is to buy a Standard code sign certificate:
Standard Code sign certificate
Cloud HSM access (Digicert keylocker)
Github Actions Integration (our code)
Digicert offering
Standard certs can work eventually, but only after enough users install the app and you gain SmartScreen reputation. This is unreliable and painful for small teams or indie apps.
We need to consider that tools like ElectronForge (what we use to package our app) remove support for Standard Code signing certificates, so the only real viable option is EV code sign. There are ways around it, but not recommended.
Starting June 1, 2023 at 00:00 UTC, private keys for code signing certificates need to be stored on a hardware storage module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent.
Other Providers
My estimation is roughtly 1,200€ to 2,000€ each year just to sign our Windows Application.
Conclusion
Based on all these information, we need to make a decision on what should we do about it. If you have any feedback or questions please ask them in the comments. Thanks for reading it!