Why does my installer get flagged by Windows?!

Why does my installer get flagged by Windows?!

If it's your first time using Pakkly for your Windows app it may surprise you that it gets flagged as 'unrecognized'. This screen will be shown to anyone installing your app:

Windows SmartScreen

They can still run it, by clicking More Info, but the way to proceed is not obvious and scares average users. What Windows is doing is alerting the user that this installer is not commonly executed and to take care. This is based on  the executable's or certificate's 'reputation'.

For the purposes of this post we'll consider the 'executable' to be the shipper, Pakkly's optimized installer/updater, generated to contain your app's information.

What is the Shipper?

The Shipper is our name for the installer/updater that your users can download from your app's "Download Hub". This binary is bound to your project ID. Pakkly currently doesn't offer a way to directly sign this binary, but you can always download it, sign it, and serve it yourself without the Download Hub.

How do I prevent this?

There are three possible ways to prevent this popup from showing. We'll cover all three.

1. Just wait

The simplest way requiring no work or money. Eventually enough users will download and execute the installer that SmartScreen will consider your software 'commonly used'. This can take months or years but is the only option for open source developers who don't want to spend any money. Luckily the Pakkly binary(Shipper) remains the same between your app versions so this counter can accumulate quicker.

2. Use a Code-Signing certificate

This option involves getting a code-signing certificate from a CA and using that to sign your binary. But be warned: this WILL NOT mark your installer as trusted. It does boost the speed at which you will acquire 'reputation', but your users will still be presented with a warning when installing your app.

3. Use an EV Code-Signing certificate

Extended Validation certificates are significantly more expensive than regular code-signing certs and require a more extensive verification process. This usually involves verifying your company information, similar to an EV SSL certificate for a website. Using an EV certificate will allow you to fully bypass Windows SmartScreen and instantly boost you to 'trusted' status.

How Do I Use These Certificates?

You use the "codesign" utility provided by Microsoft or follow instructions provided by your Certificate Authority. Once signed you can distribute the installer as you would normally (typically via a website download link). We are working to streamline the process of signing and distribution, including allowing signed downloads from the "Download Hub".


Essentially you have the option of two different kinds of certificates and three different price levels, depending on your urgency and user sensitivity.