Code signing to help with Windows virus false positives

Mon Aug 15 12:58:14 PDT 2016

On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:
> On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:
>> With all of the issues people are having with Windows Defender 
>> now would be a good time to start code signing the Windows 
>> installer and binaries (doing this is the first thing 
>> Microsoft suggests on their page for Software Developers about 
>> Windows Defender false positives).
>>
>> I propose the D Foundation acquire a code signing certificate 
>> and we start using it for releases. Alternatively any well 
>> known organization member could be the signer (having "The D 
>> Foundation" on the popup sure would look nice though). I'd be 
>> happy to put my money where my mouth is and chip in some of 
>> the money to cover the certificate cost.
>>
>> I've used StartSSL's code signing certificates successfully 
>> for this purpose but I imagine any vendor will do. The biggest 
>> hassle is certificate format conversion but once you've got 
>> the certificate in the Windows certificate store signing is 
>> just a command line call that can be easily scripted.
>>
>> There is already an issue created for this here: 
>> https://issues.dlang.org/show_bug.cgi?id=16065
>
> Do you think that a certificate prevents an antivirus to scan 
> an executable ? I'm laughing out of loud here.

No. Of course not.

To quote Microsoft: "Signing your program’s files in a consistent 
manner, with a digital certificate issued by a trusted root 
authority, helps our research team quickly identify the source of 
a program and apply previously gained knowledge. In some cases 
this can result in your program being quickly added to the known 
list or, far less frequently, in adding your digital certificate 
to a list of trusted publishers."

At work we added class 3 code signing and it helped quite a bit 
with McAfee's warnings about our software for end users. In that 
case it was warnings about new releases of our software that 
hadn't had many installs yet.

Microsoft isn't selling certificates (though it'd be nice if they 
offered them like Apple does although with Apple you have to get 
a DUNS number which I'm sure you consider a scam as well).

Please share your suggestions for how to help with the false 
positive issue (or just continue laughing in ignorance based on 
an assumption of something I never said).