Forum Discussion

Leigh_Marble's avatar
Leigh_Marble
Copper Contributor
Jan 11, 2024

Codesigning with ECC certificate (rather than RSA) - works with SmartScreen?

Hello,

 

Newbie here at the MS tech community, hope I'm posting this in the right spot. I have a seemingly straightforward question that I haven't found an answer to yet:

 

Does https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ work with code signing certificates that use an ECC algorithm, instead of an RSA algorithm?

 

The story here is: I recently purchased an EV code signing certificate from Sectigo. Following https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey/kA03l000000roEV, I had secured my EV certificate on a Yubikey. For this, I had to choose one of the ECC algorithms, not RSA. Then I used this certificate to code sign a new build of one of my apps.

 

When a user runs an application that has been signed with an EV certificate, they should not see the SmartScreen warning message that “Running this app might put your PC at risk” (like in the attached screenshot). However, I am getting that SmartScreen warning with it, every time.

I submitted the signed app to Microsoft's online https://www.microsoft.com/en-us/wdsi/filesubmission. The analysts there wrote back that
 "the files submitted are now determined as clean” and that “the application has since established reputation and attempting to download or run the application should no longer show any warnings."


Sadly, on my Windows 10 and Windows 11 systems, it is still showing the SmartScreen warning. (To be clear, I have never "clicked through" the warnings for it, and told it "run anyway", for testing purposes.) 

 

Other software devs I have spoken with, who are using certificates with RSA crypto, have not had this problem. So I am left wondering if that difference is the issue.


Thank you,

Leigh

 

 

5 Replies

  • sankut's avatar
    sankut
    Copper Contributor
    Hi,

    Actually, the Microsoft SmartScreen does support ECC certificates, but they are not as common as RSA certificates. This means ECC-signed programs might take longer to be trusted by SmartScreen, which could cause warnings until enough reputation is built.

    RSA certificates are still the preferred option for quicker trust and compatibility across platforms because they have been used for a long time. EV certificates (both RSA and ECC) are used to boost SmartScreen reputation right away, but now you need to submit your files to Microsoft for verification to skip warnings.

    However, it is important to note that the choice of algorithm (RSA or ECC) does not directly impact how Microsoft SmartScreen filters your app. What matters is the reputation your software builds over time, not the type of certificate used for signing.

    So, the EV code signing certificates are still the most secure and trusted. However, with an EV certificate, you may need to submit your files to Microsoft, especially for ECC certificates, to speed up trust-building.

    Hope your answer is clear now.
  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi Leigh_Marble,

    Microsoft SmartScreen is expected to function properly with code signing certificates employing ECC algorithms. The choice between ECC or RSA algorithms for the certificate shouldn't impact SmartScreen's functionality.

    SmartScreen warnings aren't only influenced by the certificate used for signing the application.
    The application's reputation also plays a crucial role, evolving over time as more users install and use the application without encountering issues.

    In your situation, despite analysts confirming the cleanliness of your files, it may take some time for SmartScreen warnings to dissipate as your application establishes a positive reputation.

    MS SmartScreen and Application Reputation | DigiCert.com


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • Leigh_Marble's avatar
      Leigh_Marble
      Copper Contributor

      HI LeonPavesic,

       

      Thank you for your reply. Do you have a source you can name for Microsoft SmartScreen having ECC certificate support? I have been unable to find any references to it online.

      I'll highlight the fact that the certificate I'm using is an EV (Extended Validation) code signing certificate. Sellers of EV certs claim that "An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows." (https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/)

      Also the Microsoft malware analysts, who have access to the backend systems that track application reputation, are telling me that "the application [REDACTED] has since established reputation and attempting to download or run the application should no longer show any warnings."

      So the problem doesn't seem to be on the backend. Which, combined with the anecdotal evidence of other devs with RSA certificates not having this issue, leads me to guess that there may be a problem on the frontend (i.e. locally with SmartScreen on my laptop).

      I did find this Microsoft documentation that ECC algorithms are not supported in another area of the Windows Defender infrastructure:

      https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels

      But I am unclear if this would apply directly to Windows Defender Smartscreen.

      Thank you,

      Leigh

      • LeonPavesic's avatar
        LeonPavesic
        Silver Contributor

        Hi Leigh_Marble,

        thank you for the extremely good and detailed answer.

        Microsoft SmartScreen doesn't provide detailed public documentation on the specific cryptographic algorithms or certificate types it supports (at least I cannot find it - especially for ECC).
        But, from my experience and in general, SmartScreen is designed to work with standard code signing certificates, whether they use RSA or ECC algorithms.
        As you mentioned, Extended Validation (EV) certificates, which have a more rigorous validation process, are important for the increase of the reputation of the signed applications.

        The documentation you found about ECC algorithms does not directly apply to Windows Defender SmartScreen (another area of the Windows Defender infrastructure).

        Your issue is specific because involves the interaction of your application with Microsoft's security options so I recommend contacting the Microsoft Support directly. The should be able to see if the problem is on the backend or on the frontend side.



        Please click Mark as Best Response & Like if my post helped you to solve your issue.
        This will help others to find the correct solution easily. It also closes the item.


        If the post was useful in other ways, please consider giving it Like.


        Kindest regards,


        Leon Pavesic
        (LinkedIn)

Resources