0

I am working on an ASP.NET WPF Desktop Application and have created a Setup Project to generate an MSI installer. However, when I share the MSI file, users get security warnings like:

"This file may be harmful to your PC"

OR

"This file may contain a virus"

To resolve this, I tried using a self-signed certificate for code signing, but the warning still appears. I tried:

  • Self-signing the MSI file using signtool.exe
  • Checking for any antivirus flags.
  • Researching paid Code Signing Certificates, but they are not budget-friendly.

Is there any free or low-cost way to sign the MSI file properly? and How can I distribute my MSI file without triggering these warnings?

Improve this question

2 Answers 2

Reset to default
1

Azure Trusted Signing seems to be one of the best and (possibly) least expensive ways to sign packages today.

Self-signing will not help you (outside your own computer if you trust the cert). And, honestly, trust for new packages sometimes requires many people to download it safely to build a reputation that the cert is "good and safe". Trusted Signing supposedly helps as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

hi I have created Azure Account can you help me how can i this signin msi using this Trusted Signing Accounts in azure or can you share any refrence?
I would sign the MSI as part of your build process. The how-to and tools to use can be found on this site, learn.microsoft.com/en-us/azure/trusted-signing/…
1

You need to obtain a code-signing certificate with Extended Validation (EV) in order to have a hope of not getting flagged by most screening systems. You also need to obtain reputation by having a certain number of downloads of your signed files, though in my experience it doesn't take all that much.

Unfortunately this is quite expensive and a hassle as you have to provide corporate documents proving you're an actual business entity, and they will probably want to call your registered office, etc.

I can't vouch for Azure Trusted Signing but if they're not verifying your entity status then it won't be EV, and thus won't have the maximum level of trust needed to remove those warnings.

Globalsign is the one I use.

Improve this answer

4 Comments

Yes, but this is quite expensive. I want to sign 2 to 3 msi file of small projects .
Believe me I know. It's incredibly unfair IMO. You could even go so far as to call it a racket. Paying for "protection" so they don't terrify people into not installing your application. Sorry I don't have a better alternative. You're certainly welcome to try the Azure service but I'm fairly confident it's not going to be EV and this is not going to solve your main problem. Glad to be proven wrong though.
Yes i agree with you azure is the better option
I actually don't know if Azure is a better option even if it is cheaper. But if it works for you I'm glad to hear it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.