In order to better understand the problem, let's first break down basic definitions,
There are 2 kinds of "trust" when it comes to software, called:
- Chain of trust
- Web of trust
More information about these is here:
What is Chain of trust?
What is Web of trust?
As you can see to make your software trusted (to the end user) you either purchase signing certificate from root authority which costs money (Chain of trust) or
alternative way is to build web of trust which is free of charge (Web of trust).
Web of trust
Web of trust works like this:
- You generate a public\private key pair (a certificate)
- Sign your executable with a private key which creates a signature file
- Share\Deploy your executable together with signature file
- End user verifies if the executable is trusted, that is it comes from trusted source
However Web of trust method will not make Windows or Windows defender not complain, it will continue to complain that software is not trusted because
windows uses Chain of trust to validate executable signature.
Therefore Web of trust requires end user to allow executable to be downloaded, the end user then uses a separate software that will validate signature the executable.
This probably does not answer your question because you want Windows not to complain which costs money.
If you want to the route of Web of trust you will need Gpg4Win suite:
Gpg4Win installs Kleopatra GUI interface, documentation for Web of trust is here:
Making and verifying signatures
Self signed certificate
Self signed certificate is a third option, but it will not work like Chain of trust, because no root authority has signed it (which is not free).
In order to make that work for free, the end user will have to install your self signed certificate into trusted root on their local computer
which some users may not be willing to do, but there is a solution to this...
Before proceeding you should understand what is Public Key Cryptography:
What is Public Key Cryptography?
To create self signed certificate for software signing use Gpg4Win suite.
That suite installs the GUI tool called "Kleopatra" which you can use to create your certificate.
During creation wizard of a certificate make sure to check "Signing" checkbox under "Advanced" button.
Alternative option to create a self signed certificate is to use command line tool called Cert2SPC which is part of Windows 10 SDK
Software signing and sharing
To actually sign your executable with the created self signed certificate use SignTool which is part of Windows 10 SDK
Now once you executable is signed you will probably upload it to your server where users download it.
But in order to convince users and most importantly their Windows systems which flags it as untrusted, you will also have to upload your public key
which is your self signed certificate without private key (you keep private key for yourself to sign software).
HINT: Use Kleopatra to export your certificate without private key.
Users prior to download of your software have to download your certificate (public key) and install it to trusted root, this will make download
of your software trusted, your users need to install the certificate only once! subsequent updates to executable and or new software that you
make will be trusted because it originates from you.
Therefore installing that certificate makes you a trusted developer, you only need to ensure your private key is safe and make sure you sign
everything that you make with that private key.
Following document explains how to install your self signed certificate (public key only) into trusted root on users computer:
Installing the trusted root certificate
Now all you have to make is write a short tutorial on download site to let users know they need your certificate prior to installing of software.
As you can see, there is a reason why certificates cost money, it's because authority company that makes certificates has their certificate automatically installed
on everyones system, so users don't need to install their certificate.
You have no other options.
Like my answer, upvote it!
If you have question write it in comment section below.