The problem with distributing standalone installers on Windows is that all non-popular apps are immediately regarded as malware by Windows Defender unless you go through the horrendous process of signing your app, which requires obtaining a certificate (which also requires forming a company that is not an LLC) and waiting more than a month while navigating multiple rounds of bureaucracy. I’ve done it for my app, and it was a terrible experience. Microsoft should study how Apple handles signing and notarization.
> signing your app, which requires obtaining a certificate (which also requires forming a company that is not an LLC) and waiting more than a month while navigating multiple rounds of bureaucracy.
This is not true, not as phrased.
A. You can get a cert issued in your personal name. Not an EV one, but still.
B. You are likely to already have a company if you are selling online.
C. It doesn't take "a month" even for an EV cert. Several days tops unless you go through Comodo, in which case you get what you pay for.
D. It is perfectly fine to distribute unsigned installers. They produce a warning on launch, granted, but contrary to the urban legend they are not getting instantly shit-canned by the Defender.
A. Indeed, that requirement only apply to EV cert (at least for the cert authority I used).
B. That's not always the case with indie developers.
C. Well, it took me. My cert authority was GlobalSign.
> but contrary to the urban legend they are not getting instantly shit-canned by the Defender.
That was not my experience. Try to download an unsigned binary using Edge and see what happens. From what I remember (I'm on macOS, mostly), they are "getting instantly shit-canned".
I've recently used two different vendors, replied within minutes to each of their queries in hopes of expediting the process, but each time it took the better part of 2 months before I was in possession of a USB signing key.
This is for a Delaware C-corp, so it was about as vanilla as it could be for their side.
It used to be Digicert, but they hit the rock bottom and went straight below it after their merge with Symantec. Quadrupled their prices by forcing everyone on subscriptions, obnoxious sales people, sales phone calls, price negotiations, the whole shebang. However, their validation team is still the best.
It took some searching, but it turns out that they spun off their non-subscription certificate business under the name of GoGetSSL. This entity resells other vendors too, but if you get their "own" certificate, which is the cheapest of the bunch, the validation is done by Digicert. So, that's the answer for the time being.
Entrust, Globalsign, Certum are way more expensive, slow and bureaucratic. Comodo (or Sectigo, which is the same thing) are just utter crap. Their validation process is an India-outsourced torture. Never again. Not even for free.
Just went through the code signing odyssey. It is a racket, but it did not take me a month. It took me a week and a half, including integration in to automated builds.
For an EV certificate, you need to have a government-registered business [0], though a record of Doing Business As should be sufficient. Where I live, that involves filling a form, paying a fee, and taking out a classified add for 3 weeks [1]. There are cheaper certificates, OV, that merely require a notary public's confirmation (which is what I did).
However, as the other post said, Windows will treat an EV certificate with very high trust and should not show SmartScreen. For OV signed software, it looks like [3] Microsoft will use some telemetry to assemble a trust score as people download and accept the risk of running the software, over days or weeks.
[0] https://support.ksoftware.net/support/solutions/articles/358...
KSoftware is a sales partner for Sectigo. I used their service and later Sectigo directly, before last year's change to require FIPS hardware for managing the code signing certificate.
We got a certificate with a company that's the local equivalent of an LLC, and have seen certificates issued to private individuals. As far as I can tell it's up to the issuer who they support in their verification process. Many of them are pretty inflexible with somewhat arcane processes designed decades ago (with ancient websites portals to match), so your experience may vary
An additional detail is that there are two levels of code signing certificates, normal and EV (extended validation) certificate. EV certificates make windows completely drop the low-reputation screen and causes many antivirus solutions to trust you but are expensive and are a bit of a pain to get. Normal certificates are cheaper and comparatively easier to acquire, but only give partial benefits (less scary screen from Windows, some leeway from antivirus).
Like wongarsu described, there are two types of certificates. I got the more trusted one (EV certificate) which has higher requirement standards (one of which is to be a formed corporation that is not a sole proprietorship).
EDIT: spelling.