If you signed the installer with a purchased certificate from a CA, you are supposed to contact the CA for explanation on why they failed to work with Microsoft to get rid of this warning.

如果您使用从 CA 购买的证书对安装程序进行签名，您应该联系 CA 以解释为什么他们未能与 Microsoft 合作以消除此警告。

If the certificate is not from a CA, but a self-signed certificate, you will have to resort to a CA.

如果证书不是来自 CA，而是来自自签名证书，则您将不得不求助于 CA。

Microsoft has most information published on its Windows team blog already,

微软已经在其 Windows 团队博客上发布了大部分信息，

https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/

https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/

Best Practices

Developers should still follow the best practices we've suggested in past blog posts. We have added to that guidance the additional options of distributing apps thru the Windows Store and the option of EV code signing:

• Distribute your apps through the Windows Store

最佳实践

开发人员仍应遵循我们在过去的博文中建议的最佳实践。我们在该指南中添加了通过 Windows 应用商店分发应用程序的附加选项以及 EV 代码签名选项：

• 通过 Windows 应用商店分发您的应用

Windows 8 Applications are required to pass the Windows Store developer onboarding and application review process. Windows 8 applications are not in scope for SmartScreen application reputation checks or warnings in Windows 8.

Windows 8 应用程序需要通过 Windows 应用商店开发人员入职和应用程序流程。Windows 8 应用程序不在 Windows 8 中 SmartScreen 应用程序信誉检查或警告的范围内。

• Digitally sign your programs (Standard or EV code signing)

• 对您的程序进行数字签名（标准或 EV 代码签名）

Reputation is generated and assigned to digital certificates as well as specific files. Digital certificates allow data to be aggregated and assigned to a single certificate rather than many individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier which makes it easier to maintain reputation across certificate renewals. Only Authenticode Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish reputation.

声誉被生成并分配给数字证书以及特定文件。数字证书允许将数据聚合并分配给单个证书，而不是多个单独的程序。尽管不是必需的，但由 EV 代码签名证书签名的程序可以立即在 SmartScreen 信誉服务中建立信誉，即使该文件或发布者之前不存在信誉。EV 代码签名证书还具有唯一标识符，可以更轻松地在证书续订期间维护声誉。只有作为 Windows 根证书计划成员的 CA 颁发的 Authenticode 证书才能建立信誉。

At this time, Symantec and DigiCert are offering EV code signing certificates.

目前，赛门铁克和 DigiCert 正在提供 EV 代码签名证书。

• Don't sign or distribute malicious code

• 不要签署或分发恶意代码

Distributing code detected as malicious will remove the reputation from a file and also any reputation from the associated digital certificate – even if signed with an EV code signing certificate.

分发被检测为恶意的代码将删除文件中的声誉以及相关数字证书中的任何声誉——即使使用 EV 代码签名证书签名。

• Apply for a Windows Logo or Windows 8 Desktop App Certification

• 申请 Windows 徽标或 Windows 8 桌面应用程序认证

Learn more about these programs here: Windows 8 Desktop App Certification (required for Windows Store submissions) Windows Logo Program

在此处了解有关这些计划的更多信息：Windows 8 桌面应用程序认证（Windows 应用商店提交所需）Windows 徽标计划

I have been searching for a while, so I'll share what I've found so far.

我已经搜索了一段时间，所以我将分享我目前发现的内容。

I haven't found any documentation about this feature in Windows 8 from Microsoft, but I may just be looking in the wrong places.

我还没有在 Microsoft 的 Windows 8 中找到有关此功能的任何文档，但我可能只是找错了地方。

Most of the articles I read discuss that the SmartScreen Filter works as follows:

我读过的大多数文章都讨论了 SmartScreen 过滤器的工作原理如下：

• Before running an installer or executable that was downloaded, Windows 8 consults with a database.
• The database can report whether or not that program has been:
  • reported as malicious/phishing, (and verified by a Microsoft Employee).
  • used/run by many people.

• 在运行下载的安装程序或可执行文件之前，Windows 8 会查询数据库。
• 数据库可以报告该程序是否已经：
  • 报告为恶意/网络钓鱼（并由 Microsoft 员工验证）。
  • 许多人使用/经营。

If enough people have run that installer, without reporting it as malicious, eventually that program will be flagged as safe, and other users will not receive the annoying message.

如果有足够多的人运行该安装程序，而没有将其报告为恶意程序，最终该程序将被标记为安全，其他用户将不会收到烦人的消息。

some sources: (here) (here)

一些来源：（这里）（这里）

The information sent to Microsoft when a user installs a program includes IP address, a hash of the installer and digital signature, and possibly the filename of the application. (see here)

用户安装程序时发送给 Microsoft 的信息包括 IP 地址、安装程序的哈希值和数字签名，可能还有应用程序的文件名。（见这里）

Microsoft employees would have direct access to the database to add and flag safe all Microsoft applications.

Microsoft 员工可以直接访问数据库以添加和标记所有 Microsoft 应用程序的安全。

Perhaps Microsoft has set up a way to pre-certify your installer with them, if not you may just need to wait until enough people run the installer. (but not sure how many that would be).

也许微软已经设置了一种方法来预先认证您的安装程序，如果没有，您可能只需要等到有足够多的人运行安装程序。（但不确定会有多少）。

I have tested the EV cert solution and it does work.

我已经测试了 EV 证书解决方案，它确实有效。

Sadly, I will also mention that EV certs are incompatible with TeamBuild which executes signing under the context of a service. EV certs require a hardware token that interfaces with the Cryptographic Service Provider that is provided by SafeNet, Inc for use with all authorized EV cert vendors (VeriSign and DigiCert).

遗憾的是，我还将提到 EV 证书与在服务上下文中执行签名的 TeamBuild 不兼容。EV 证书需要一个硬件令牌，该令牌与 SafeNet, Inc 提供的加密服务提供程序接口，以便与所有授权的 EV 证书供应商（VeriSign 和 DigiCert）一起使用。

When signing occurs the drivers from Safenet will prompt for a password which is somewhat incompatible with executing under the context of a service. Additionally, Safenet provides protection that prevents signing from anything but the actual console. You cannot even sign from within a remote desktop session. So, signing from within Teambuild is problematic at best and not possible at worst.

当签名发生时，来自 Safenet 的驱动程序将提示输入密码，这与在服务上下文中执行有些不兼容。此外，Safenet 提供的保护可防止从实际控制台以外的任何地方进行签名。您甚至无法从远程桌面会话中进行签名。因此，从 Teambuild 内部签名充其量是有问题的，最坏的情况是不可能的。

I have worked with Microsoft and they have not been able to provide a workaround for signing or any other way to achieve instant reputation under SmartScreen.

我曾与 Microsoft 合作过，但他们无法提供一种解决方法来进行签名或以任何其他方式在 SmartScreen 下获得即时声誉。

I just went through this process, and I'll add some tidbits of info to this.

我刚刚经历了这个过程，我会为此添加一些信息。

1) Get an EV. It's worth it. Next time you upgrade your certificates, upgrade to an EV certificate. The price is about $100 more per year. EV certificates are considered more secure, because they are harder to steal. When issued to you, a hardware token device will be issued to you to complete the sign. Unfortunately, the final sign is not compatible with automated builds.

1) 买一辆电动车。这很值得。下次升级证书时，请升级到 EV 证书。价格大约是每年 100 美元以上。EV 证书被认为更安全，因为它们更难窃取。当发给您时，将发给您一个硬件令牌设备以完成签名。不幸的是，最终标志与自动构建不兼容。

It's not as terrible as it sounds. They will provide you a second certificate to sign your executables (inside the installer) which remains compatible with automation. The signature on the installer must be signed in conjunction with the hardware token.

这并不像听起来那么可怕。他们将为您提供第二个证书来签署您的可执行文件（在安装程序内），该证书与自动化保持兼容。安装程序上的签名必须与硬件令牌一起签名。

2) If you don't want to get an EV certificate, you need reputation. If you're upgrading, Microsoft will transfer the reputation from your old certificate to your new one. You must contact MSDN tech support and in about a week it'll be done. I submitted my old and new installers -- with old and new certificates -- and they fixed it.

2）如果你不想获得EV证书，你需要声誉。如果您要升级，Microsoft 会将声誉从您的旧证书转移到您的新证书。您必须联系 MSDN 技术支持，大约一周后即可完成。我提交了我的新旧安装程序——带有新旧证书——他们修复了它。

3) If this is your first certificate, you're stuck with SmartScreen until you get reputation. You probably should get your app certified through sysdev.microsoft.com. But, it's not really known how many downloads you need before you earn a positive reputation with Microsoft.

3) 如果这是您的第一个证书，则在获得声誉之前，您会一直使用 SmartScreen。您可能应该通过 sysdev.microsoft.com 对您的应用进行认证。但是，在您获得 Microsoft 的良好声誉之前，并不真正知道您需要下载多少次。

That's my experience.

这就是我的经验。

We just went through the whole process of moving from an oldAuthenticode certificate to a newone (not an EV certificate, just a plain certificate that can be used in our automated build process).

我们刚刚经历了从旧的Authenticode 证书迁移到新证书的整个过程（不是 EV 证书，只是可以在我们的自动构建过程中使用的普通证书）。

Microsoft is no longer providing any means of transferring reputation from an existing certificate to a new one. So don't try to call their support. You'll just waste a lot of time and energy. And they won't be able to help.

Microsoft 不再提供任何将声誉从现有证书转移到新证书的方法。所以不要试图打电话给他们的支持。你只会浪费很多时间和精力。他们将无法提供帮助。

Microsoft is claiming that if the old and new certificates have the same textual content, the reputation gets established faster. More specifically, here is the reply I got from the SmartScreen? Filter's Application Reputation featuresupport team:

微软声称，如果新旧证书具有相同的文本内容，则声誉建立得更快。更具体地说，这是我从SmartScreen得到的答复？Filter 的应用程序信誉功能支持团队：

Please note that whenever you renew a certificate with known reputation, you will likely see some warns during initial downloads of files signed with the renewed certificate. However, known reputation on the renewed certificate is typically established more rapidly than on a new certificate. While a renewed certificate establishes reputation, users can still click through to run or save the download. To do so, they select Actions | More Options | Run Anyway from Download Manager.

请注意，每当您更新具有已知声誉的证书时，您可能会在初始下载使用更新证书签名的文件时看到一些警告。但是，更新证书的已知声誉通常比新证书的建立速度更快。虽然更新的证书建立了声誉，但用户仍然可以单击以运行或保存下载。为此，他们选择操作 | 更多选项 | 无论如何从下载管理器运行。

The best way to ensure that SmartScreen won't warn the users is to run the Windows App Certification Kit (WACK)which should be included in the Windows SDK download:

确保 SmartScreen 不会警告用户的最佳方法是运行Windows 应用程序认证工具包 (WACK)，该工具包应包含在 Windows SDK 下载中：

After running the tests, WACK explains how to proceed:

运行测试后，WACK 解释了如何继续：

Upload the XML result of a successfull application certification to https://sysdev.microsoft.com. A few days later, SmartScreen will be aware of the digital signature used for the certified program and will no longer warn the users on download.

将成功的应用程序认证的 XML 结果上传到https://sysdev.microsoft.com。几天后，SmartScreen 将知道用于认证程序的数字签名，并且不再在用户下载时发出警告。

NoteWe were not able to certify our application on the latest updates of Windows 8.1 and we had to use a clean install of Windows 8.1 in order to get WACK to validate successfully all of our programs.

注意我们无法在 Windows 8.1 的最新更新上认证我们的应用程序，我们必须使用 Windows 8.1 的全新安装才能让 WACK 成功验证我们所有的程序。

Since Windows 8.1 is out.

由于 Windows 8.1 已发布。

• Microsoft deactivated all Standard Code Signing Certificates to be trusted when you download them via internet to your PC and trying to install them, but Standard Code Signing Certificates application works if you distribute your application via USB or CD-ROM.

• Do not use the signtool.exeto verify (signtool.exe verify /pa mysetup.exewill show success but it will fail when other users will download it and try to install a SmartScreen popup will keep showing up)

• 当您通过 Internet 将标准代码签名证书下载到您的 PC 并尝试安装它们时，Microsoft 停用了所有受信任的标准代码签名证书，但如果您通过 USB 或 CD-ROM 分发您的应用程序，则标准代码签名证书应用程序可以工作。

• 不要使用signtool.exe来验证（signtool.exe verify /pa mysetup.exe会显示成功，但当其他用户下载它并尝试安装 SmartScreen 弹出窗口时会继续显示它会失败）

Use Windows App Certification Kit (WACK)

使用 Windows 应用认证工具包 (WACK)

• This standard code signing certificates are dead. Means if you have standard code signing certificate it wont work anymore reliably like it was in past, even though Windows App Certification Kit (WACK) shows PASS with WARNING, does not mean its 100% verify success

• 这个标准的代码签名证书已经死了。意味着如果您拥有标准的代码签名证书，它就不会像过去一样可靠地工作，即使 Windows 应用程序认证工具包 (WACK) 显示 PASS 和 WARNING，也不意味着其 100% 验证成功

You have to purchase EV certificate (https://www.globalsign.com/en/code-signing/)

您必须购买 EV 证书 ( https://www.globalsign.com/en/code-signing/)

So, to be 100% success, Follow the spoon feed:

因此，要 100% 成功，请遵循勺子饲料：

Step 1: go to https://sysdev.microsoft.comand login

第 1 步：转到https://sysdev.microsoft.com并登录

a) Create a company account > next

a) 创建公司账户 > 下一步

b) Download winqual.exe file which is as zip file provided by microsoft, now sign the winqual.exe with your standard certificate or EV certificate and then click next to upload the file for validation.

b) 下载由微软提供的 zip 格式的 winqual.exe 文件，现在使用您的标准证书或 EV 证书对 winqual.exe 进行签名，然后单击下一步上传文件进行验证。

In my case it failed because i have standard certificate which Microsoft stop allowing anymore. So all of you have to do now is to buy EV license else you are screwed, and can spend your lifetime solving this problem without any clue.

就我而言，它失败了，因为我拥有 Microsoft 不再允许的标准证书。所以你现在所要​​做的就是购买 EV 许可证，否则你就被搞砸了，并且可以用你的一生来解决这个问题而没有任何线索。

Unfortunately I don't have enough rep to simply comment on one of the above answers. However, if you specify partial trust for your published app (I chose Internet zone) and have a code signing cert in place, no smart screen warning is displayed (checked on Win10).

不幸的是，我没有足够的代表来简单地评论上述答案之一。但是，如果您为已发布的应用程序指定部分信任（我选择了 Internet 区域）并拥有代码签名证书，则不会显示智能屏幕警告（在 Win10 上选中）。

I sign my application in an automated manner using an EV certificate on a token ( GlobalSign ) . Use a .bat file. in the ".bat" file , type ex: (For sha1)

我使用令牌 (GlobalSign) 上的 EV 证书以自动方式签署我的应用程序。使用 .bat 文件。在“.bat”文件中，输入 ex:（对于 sha1）

SignTool.exe sign /n "Exact Enterprise name in the cert - token" /t "http://timestamp.globalsign.com/scripts/timstamp.dll" "c:\Patch_to_file\Filename.exe"

The "Exact Enterprise name in the cert - token" should be the exact name that is in the certificate ( token)

“证书中的确切企业名称 - 令牌”应该是证书中的确切名称（令牌）

"The version of the file is not compatible with the version of windows you're running". Under Windows 2008 server there is no 'More Info" button to choose to install anyway.

“该文件的版本与您正在运行的 Windows 版本不兼容”。在 Windows 2008 服务器下，无论如何都没有“更多信息”按钮可供选择安装。

As we develop windows desktop software (not 'Apps') using non-Microsoft products (Delphi), and use Innosetup for our installer, the app validation is meaningless. It sits there for 30 minutes doing nothing, we simply start the app, then close the app manually, and it generates a pass report.

由于我们使用非 Microsoft 产品 (Delphi) 开发 Windows 桌面软件（不是“应用程序”），并且将 Innosetup 用于我们的安装程序，因此应用程序验证毫无意义。它在那里坐了 30 分钟什么都不做，我们只需启动应用程序，然后手动关闭应用程序，它就会生成一个通过报告。

We code sign all our releases and every executable within them.

我们对所有版本和其中的每个可执行文件进行编码。

When we upload the XML to Microsoft, the certified XML sits on a site unrelated to our main developer account, with no way to publish it to the Microsoft Store. 45 minutes wasted per application.

当我们将 XML 上传到 Microsoft 时，经过认证的 XML 位于与我们的主要开发人员帐户无关的站点上，无法将其发布到 Microsoft Store。每个应用程序浪费了 45 分钟。