How can I make SmartScreen Filter trust a self-signed certificate

Question

Microsoft's SmartScreen Filter under Windows 8 is a small developer's worst nightmare.

While I realize the benefits to end users and the effectiveness at stopping malicious programs from installing themselves on end users' computers, I and many other developers would rather not pay the fees for annual renewal of a Code Signing Certificate or, even worse, an EV Code Signing Certificate. Also, when products developed for use in-house are signed with a trusted certificate from an internal CA, stored in the Trusted Publishers store, they still fall prey to the filter's overzealous behavior.

Developers and Administrators used to be able to disable the warnings and prompts by installing a publisher's Code Signing Certificate in the Trusted Publishers store. Creative developers could install their self-signed Code Signing Certificate there when they install a pre-requisite signed and timestamped with a paid-for Authenticode Code Signing Certificate. After that, programs signed by the publisher would be trusted and would not trip the SmartScreen Filter alarms. Essentially, once trusted, a publisher was free from the recurring fees.

The recent changes to the SmartScreen Filter (and its inclusion as an OS "feature" in Windows 8) make it clear Microsoft wants you to buy a code signing certificate instead of creatively working around the problem they've created for you. Has anyone discovered a new method to trust publishers who use their self-signed Code Signing Certificates by default (i.e., not showing the prompts)? Short of turning off the filter completely, what can end users do to let the SmartScreen Filter know to always trust a Self-Signed certificate?

Please note that purchasing a Code Signing Certificate is not an answer to this question. I'm looking for a way to tell SmartScreen Filter to trust a publisher that does not purchase certificates from an outside source, but instead issues their own for use inside their organization.

UPDATE: I think I might have found a workaround! From MSDN, SmartScreen Filter can be disabled on Windows 8 and Internet Explorer 10 for sites listed as Trusted Sites. If someone could verify that this method works for setup programs downloaded and run from a Trusted Site in Windows 8, that would be greatly appreciated and would help a lot of ISV's and in-house development teams. It would also be the workaround needed to answer this question. Trusted Sites can be configured by group policy, so it would be simple from there.

Programmatically, turning off SmartScreen Filter for the Trusted Sites Zone can be achieved by setting either HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 for the machine or HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 for the user to 0, and adding the site to be trusted to the Trusted Sites Zone can be done as shown in this question.

Could someone please verify that my proposed workaround functions on Windows 8 for an unsigned or self-signed executable downloaded from a Trusted Site? I'm not using Windows 8 myself, having spent my OS upgrade budget on certificate fees.

Answer 1

Using a 90 day trial of Windows 8 from Microsoft, I've been able to verify that my workaround does indeed work. If you want to pay for a code signing certificate once and only once instead of paying annual fees, this method should work for you as well, but I can't make any guarantees. My solution is per-machine, but should be easy to convert to work per-user.

This is my solution:

1. Set up your own certificate infrastructure.
2. Publish copies of your root CA certificate, any intermediate CA certificates issued by your root, and any code signing certificates issued by your intermediate CA's to your website as .cer files.
3. Install an SSL certificate on your website that was issued by your Root CA.
4. Create an installer/downloader application that performs the following tasks:
   • Installs the root CA certificate (from your website, step 2) into the Trusted Root Certification Authorities store for the end user's machine.
   • Disables SmartScreen Filter for the Trusted Sites internet zone by setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2!2301 to 0.
   • Adds your website to the zone map by adding the registry key(s) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yourdomain.com\yoursubdomain.
   • Maps your domain to the Trusted Sites zone by creating a DWORD named https with a value of 2 in the key created in the previous step.
5. Purchase a code signing certificate from a member of Microsoft's Trusted Root program, preferably an EV certificate.
   • Before your purchase, make sure the certificate and timestamping scheme used by the CA for your code signing certificate will not result in OID's 1.3.6.1.4.1.311.10.3.13 or 1.3.6.1.4.1.311.10.3.14, as these would make the signature expire when the certificate expires, whether it's timestamped or not.
6. Sign and timestamp your downloader/installer with the certificate purchased in step 5. Verify the absence of lifetime limitations on the signature. If everything is ok, you can put your purchased code signing certificate in a safe place and lock it away.
7. Publish your downloader/installer program to your website. Make it a pre-requisite download for all your products.
8. From this point on, you can use code signing certificates (and other certificates, for that matter) issued by your own internal certificate authorities without SmartScreen Filter being a nuisance.

The worst warning I’ve received using this method so far has been “This type of file could harm your computer.” That's the typical "You're downloading an executable file!" warning. It doesn’t hide the Run option and does not appear for ClickOnce deployments using the bootstrap webpage generated by clicking “Publish” in VS2010.

Thanks for all the comments and links.