How can I transfer Microsoft smartscreen reputation to a renewed certificate?
I know that even a software signed with a new code signing certificate triggers Microsoft Defender SmartScreen warning: Windows Defender SmartScreen prevented an unrecognised app from starting The warning goes away only after the certificate builds a reputation: Smart-Screen filter still complains, despite I signed the executable, why?
But we have been signing our software (WinSCP) with a DigiCert code signing certificate for years. It is a plain certificate, no Extended Validation (EV).
As our certificate is expiring soon, we have renewed it. But now, signed with the renewed certificate, our software triggers the SmartScreen warning.
Is that expected? Is the reputation really not transferred to the renewed certificate? If not, what does it take to build the reputation again? The new (beta) version of our software (signed with the renewed certificate) is out for a few days already, and it has tens of thousands of installations, but it still triggers the warning. Or is there a way to help the reputation to transfer somehow?
We have tried to submit the files for malware analysis to Microsoft. Although the binaries passed the tests, it did not have a visible effect on the SmartScreen check.
This is an answer from Microsoft received in 2020 regarding the Microsoft smartscreen: It seems the most important advice is to get the new code signing certificate before it expires. So the new one has time to gain a reputation. Last time I got the new cert to get a reputation in about 30 days.
To give you some additional background, when a certificate is renewed, or if a new certificate is used to sign files, a fresh reputation needs to be established. The reputation of the previous certificate is one of the important elements in attaching reputation to the newer certificate. Typically, a renewed certificate will establish reputation more quickly than a completely new certificate such as one from a different CA or one which uses different organisation details (company name, etc.). For future reference, here are some suggestions to help establish reputation for a new or renewed certificate:
- · When using a new certificate (or even renewing a cert), use the same information (Name, email contact address, etc.) that was used for an older, established certificate
- · Use the new certificate to sign an already established application
- · Sign a new application with an already established certificate
- · Ensure that applications signed with the new certificate are accessible (rather than remaining on an intranet, for example)
- · Do not create many different certificates for signing applications. Use a limited number of certificates, and ensure that applications that are signed with them are not vulnerable to compromise
- · Consider renewing the certificate a little early and signing a few of your applications with it before your existing certificate expires