Maybe check this first: Installshield Custom Dialogue Installer
It seems you can submit files for malware analysis by Microsoft now. Try it out – it seems this yields “trust” – though I am unsure of any costs involved.
UPDATE: Also check this answer: How to avoid the “Windows Defender SmartScreen prevented an unrecognized app from starting warning” – a description of a strategy for getting your application and setup trusted.
Microsoft: SmartScreen FAQ (cross-link for safe-keeping).
- Trust: SmartScreen is “trust-based” – you gain reputation (or lose it).
- Grapevine: Usage analysis is based on submitted real-world user data from many sources:
IE
,Edge
,Windows
,Anti-Virus
,download volume
,download logs
,download URL past history
,web-site reputation
,etc...
- EV-Certificate: Signing with an EV-certificate buys trust outright. Interesting concept.
- Say What?: Full details and exact mechanism of trust calculation is unknown.
The overall idea is that what is downloaded all the time by many users without major incidents is probably not harmful
.
Digital Signing
I am outdated on certificates, but how well signing will work largely depends on the nature of your certificate – whether it points to a valid root certificate already present by default on your users’ target computers (a self-signed certificate will not be present by default for example – obviously I guess) and what type of certificate it is (see below regarding EV certificate).
In your case the Installshield help file probably provides the information you need to use the certificate you mention. Here is the online version of that help: Installshield 2018: Digital Signing & Security. I believe your VeriSign certificate should work, if it is up to date (I presume SHA256 – Installshield 2015 upwards) and that it is a valid code signing certificate (as opposed to some other type of certificate).
Root Certificates: Microsoft Trusted Root Certificate Program – Portal (2018)
SmartScreen
Beyond signing, we are now (Windows 8 onwards) dealing with “smart screening” (see sample blocking dialog from Windows Defender). A reputation-based system (see the accepted answer in the linked question as well) with setup / application telemetry data determining if your setup is considered safe – in other words a simple, old-school certificate just isn’t enough anymore to gain trust. So they tell me :-).
You can apparently use an EV code-signing certificate to “buy trust” (interesting concept – one would have to say) – it is essentially a more expensive certificate with USB hardware token security and a more rigorous vetting process for the buyer (and there are further details): “Programs signed by an EV Code Signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher.“
To point out the obvious, the below links are not meant as endorsements:
- Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates
- https://www.digicert.com/code-signing/
- https://www.globalsign.com/en/code-signing-certificate/
- Symantec Extended Validation (EV) Code Signing certificate – Getting Started.
Disclaimer: I am on shaky ground with these issues due to lack of experience, but the provided answer is “best effort” to help get you going. Please do report any important discoveries with comments to the answer or just edit the answer in-situ for the rest of the community (or add your own answer obviously).
Linking Monster: And now, the link-fest. Apologies :-).
Some Further SmartScreen Links For Safekeeping:
- How to avoid the “Windows Defender SmartScreen prevented an unrecognized app from starting warning”
- InnoSetup – fails to use global sign EV code signing
- How to pass the smart screen on Win8 when install a signed application?
- How to pass the Windows Defender SmartScreen Protection?
Some Further Certificate Links For Safekeeping:
- How to Add a Digital Certificate to a SingleImage Install Shield Installation Program
- Changing the Timestamp Server for Digital Signatures.
- UAC prompt from unidentified publisher appears when uninstalling MSIs on Windows Vista and Windows Server 2008
- Best practice to sign InstallShield setup and include intermediate certificates
- Odd ‘Program name’ when installing signed msi installer
- Is it possible to define a Windows Installer-uninstaller filename?