![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 20%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENC%3C/text%3E%3C/svg%3E)
Artifact Signing
A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)
SmartScreen warnings for newly signed installers are expected behavior until the file and its signing certificate establish sufficient reputation, even when using Trusted Signing and valid Microsoft issuing CAs.
From the available information:
- Windows now requires Trusted Signing for
/INTEGRITYCHECK-linked user-mode PE files- For user-mode PE files built with the
/INTEGRITYCHECKlinker option, Windows requires them to be signed with Trusted Signing (formerly Azure Code Signing). - The legacy cross-signing program is deprecated; no new cross-signing certificates are issued, though existing binaries signed under that program remain trusted.
- This affects how new binaries are signed and trusted at the OS level, but it does not bypass SmartScreen’s reputation-based checks.
- For user-mode PE files built with the
- SmartScreen uses reputation, not only CA trust
- Microsoft Defender SmartScreen evaluates both the URL and the app’s digital signature to determine reputation.
- Even if the certificate chain is valid and issued by a Microsoft intermediate CA, a newly issued intermediate or a newly signed file can still trigger SmartScreen warnings until enough telemetry and usage data build a positive reputation.
- SmartScreen warnings therefore can still appear for:
- New installers signed with a new intermediate CA.
- Low-prevalence binaries, even if correctly signed.
- SHA-2 and certificate validity vs. SmartScreen
- Microsoft has moved to SHA-2 exclusively for code signing and related operations.
- A file being SHA-2 signed and chained to a trusted root/intermediate ensures cryptographic validity but does not guarantee SmartScreen reputation.
- If the signature is valid (for example, shows
SHA256in the Digital Signatures tab), any remaining warnings are due to SmartScreen reputation rather than a basic trust failure.
- Practical implications for new Trusted Signing intermediates
- When Microsoft introduces or rotates issuing CAs (including for Trusted Signing), Windows trusts them for signature validation, but SmartScreen still applies its reputation model.
- As a result, installers signed with a new intermediate CA can continue to show SmartScreen warnings until:
- The certificate and binaries gain sufficient reputation, and
- SmartScreen’s telemetry recognizes them as low risk.
- What can be done
- Ensure all binaries are:
- Signed with Trusted Signing as required (especially for
/INTEGRITYCHECKscenarios). - SHA-2 (SHA256) signed and chaining correctly to the Microsoft Trusted Signing hierarchy.
- Signed with Trusted Signing as required (especially for
- Distribute the installer through normal channels so that usage and telemetry can build reputation over time.
- Avoid disabling SmartScreen or other protections; Microsoft does not recommend bypassing security features to work around reputation warnings.
- Ensure all binaries are:
The behavior described (SmartScreen warnings despite valid signatures from current Microsoft issuing CAs) is therefore consistent with SmartScreen’s reputation-based design and not addressed solely by the CA or signing changes.
References: