I’m designing a deployment process for a Windows 10 desktop application that will run on client machines. There are two programs: an app and an installer which downloads and installs the app. It’s important that clients never see any scary security warnings. The installer is signed with an Extended Validation (EV) Certificate, so it doesn’t trigger Windows SmartScreen. The app is not signed by any certificate but, in testing, Windows 10 doesn’t seem to complain when the user runs the app.
- Does Windows SmartScreen consider the app safe because it was downloaded by a EV signed installer?
- Can I depend on this behavior and forego code signing the app?
Not My Question:
I’m not asking if I should sign the app for other reasons, I know I should. Only asking about Windows SmartScreen security warnings.