Hi all,
a customer of mine has complained that the executables (created using FPC/Lazarus) I have sent him were rejected by Windows (10/11) with a Windows message stating that this application was blocked because it could potentially harm his PC. I read through Microsofts pages about Authenticode code signing, and then eventually bought an "Extended Validation" code signing certificate for my company. It took almost 2 months and a quite bureaucratic validation process, but eventually I received the certificate.
Today I wanted to test it, I compiled a test exe using Lazarus, and put it on an USB stick in a signed and an unsigned version. I verified the signatures using Windows explorer, the signed version does indeed show a valid signature, while the unsinged version does not. Then I brought the USB stick over to a Windows 11 box, freshly installed yesterday using nothing but the defaults.
I expected the target computer to complain in any way, but it did simply and without any warnings execute the exe, the signed version as well as the unsigned version. I did then move the whole thing to a Windows 10 laptop, and got the exact same result: the "Smart" screen will let the unknown and "potentially harmful" program pass, regardless of whether it is signed or not.
I checked the Smart Screen settings on both machines, all protective features are turned on.
Anyone having an idea what's going wrong? Are - just stabbing in the dark - these features tied to whether a Windows machine is part of a corporate network or not? My test computers are all workgroup machines, while my customer has a full blown Active Directory environment.
Thnx, Armin.