Search code examples
windows-installerinstallationreleasesmartscreen

"Proper" way of releasing software and creating an installer for it


Let's suppose I've just created an app in visual studio and now I want to distribute it. I've set the app to release mode and I have a copy of the app that works just fine. My main question is how would I go about creating an installer for it and making sure Windows knows it's trustworthy? Do I have to create some sort of certificate?

I've been searching and downloaded NSIS but I'm not sure how to use it so I just used Inno Setup Compiler which works just fine. Sometimes Avast checks my application and takes about 5 or 10 seconds before opening it but that doesn't happen with other applications.

Is that a problem with avast?


Solution

  • Deployment Tool: Here is a piece on common MSI tools, and links to other, non-MSI deployment tools. The links to Stefan Kruger's site installsite.org shows the full list of available tools for MSI and non-MSI. The most common tools are: WiX (open source, learning curve - hints here), Advanced Installer (great tool, lots of smarts), Installshield (market leader), and others. Have a look.

    SmartScreen: Windows now features "SmartScreen" - which is a trust based system where your binaries have to "earn reputation" through use. Essentially you need to buy a Extended Validation Certificate to "buy trust" outright (Interesting concept... Who smells a racket?):

    VirusTotal.com: I like to upload my binaries to VirusTotal.com. They check the binaries with a plethora of malware scanners and you can see if any scanners flag your binaries as suspicious. An important step to check both for genuine malware in your release files (happens), and also - and just as importantly - for false positives - that would otherwise cause your users problems and you a lot of support calls.

    Reputation: Note that I am not sure whether uploading helps with the binaries reputation for SmartScreen. I don't think it does - at least not in a quick way. You need an EV code-signing certificate to "buy trust" for large scale distributions. I should add that the vetting and approval for such certificates involve verifying the company's existence (like normal certificates), but also dongles or hardware keys - I think - and hence is quite a bit of fuss to get, and hence does "prove" that the distributor must at least be well-organized.


    Links: