I have purchased a Code Signing Certificate from Sertigo, a Certification Authority. However when I download the application I still see the Smartscreen, and although More Info identifies the supplier (Jazz Software Ltd), the [Run Anyway] button appears, I can click it and the software downloads, and installs properly. From More Info, the certificate details can be displayed. Everything is OK except that I don't understand why the Smartsceen appears.
For another user (large company with stringent security settings) the [Run Anyway] button doesn't appear, and they can't download the software. Major problem.
I found this article which seems to have the answer
https://social.msdn.microsoft.com/Forums/en-US/00813d25-d258-40d8-b03a-c4468959f311/smartscreen-shows-quotunknown-publisherquot-even-though-signed-correctly-using-a-trusted?forum=winformssetup
But the original article was written for Windows 8 in 2012, and perhaps things have changed in 10 years.
Question 1. Is it still necessary to use Signtool to explicitly sign the project, i.e. it is not sufficient to import a purchased Code Sharing Certificate by using Visual Studio opened on the signing page of the project, and using [Select from File]?
Your answer should be "No" because it's reasonable to think that you only need to use [Select from File], but from the results I get I'm assuming that your answer is "Yes"... so continuing on this assumption: -
Clearly #3, Pre Publish, is the way to go eventually, but since my practice is to publish locally and then use FTP to explicitly put this on the web site, I'll use #2, Signing the application executable post-build, at first.
I need to execute a command based on
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe" sign /f "$(ProjectDir)TestWin8CO_TemporaryKey.pfx" /p nightbird /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"
I'm using VS2019, and so I found SignTool at C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool
My project ($(ProjectDir) is
C:\Users\Robertbw10\source\repos\Jazz\Jazz\
$(ConfigurationName) is Debug
$(TargetFileName) is Jazz.exe
Based on that, I think that (except for the password) the command will be
"C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\Signtool.exe " sign /f "C:\Users\Robertbw10\source\repos\Jazz\Jazz\jazz-software.pfx" /p xxxxx /v "C:\Users\Robertbw10\source\repos\Jazz\Jazz\obj\x86\Debug\Jazz.exe"
Question 2 Will you please confirm that this command looks reasonable given that these objects are what I find with File Explorer.
The referenced article continues
After you’ve created your version of the post-build command, you need to put it in the project properties. Double-click on Properties and click on the Build Events tab. Put your command in the Post-build event command line box.
I found Build Events as a button from the Compile tab of properties, I assume that this is a change from earlier Visual Studios, so I'll put the command there and rebuild the project if I get feedback that the answers to both Question 1 and 2 are "Yes".
Thank you for helping me, Robert.