I have a different experience than @George Y. Our Code Signing EV-Certificate from Sectigo did help to avoid false positives in Norton 360. I don't know about other Antivirus software - to be tested.
Note:
My different experience from @George Y. doesn't imply
that he is wrong. The difference can be due to many
factors, such as Antivirus Software Company policies, ...
Also, my
experience is based on positive results I get today from the code
signing. More tests in the future (and experiences from our users) will prove if these positive results were temporary or permanent.
1. Before code signing
Before the code signature, our users got warnings like this:
Even worse, Norton 360 would simply remove a lot of executables and .pyd
files automatically - thereby breaking our software completely:
It was a complete disaster.
2. After code signing
Today, I signed our application for the first time with our new EV-Certificate. I signed not only the .exe
files, but also the .dll
, .so
and .pyd
files. When signing these files, I first check if they already have a signature, to avoid double signing .dll
files from third party opensource binaries that we include in our build. Here is my Python script that automates this procedure:
import os, subprocess
# 'exefiles' is a Python list of filepaths
# to .exe, .dll, .so and .pyd files. Each
# filepath in this list is an absolute path
# with forward slashes.
quote = '"'
for f in exefiles:
cmd = f"signtool verify /pa {quote}{f}{quote}"
result = subprocess.run(
cmd,
stdin = subprocess.DEVNULL,
stdout = subprocess.PIPE,
stderr = subprocess.PIPE,
cwd = os.getcwd(),
encoding = 'utf-8',
)
if result.returncode:
# Verification failed, so the file is not yet signed
cmd = f"signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a {quote}{f}{quote}"
result = subprocess.run(
cmd,
stdin = subprocess.DEVNULL,
stdout = subprocess.PIPE,
stderr = subprocess.PIPE,
cwd = os.getcwd(),
encoding = 'utf-8',
)
if result.returncode:
# Code signing failed!
print(f"Sign: '{f.split('/')[-1]}' failed")
else:
# Code signing succeeded
print(f"Sign: '{f.split('/')[-1]}'")
else:
# Verification succeeded, so the file was already signed
print(f"Already signed: '{f.split('/')[-1]}'")
The results are promising so far. Windows SmartScreen no longer generates warnings. Norton 360 neither. I've tried on both my laptop and a desktop with a clean Norton 360 install - both of them trust the application (unlike before the code signature).
Fingers crossed it will stay this way. Let's also hope other Antivirus software will trust our application.
Note:
As of writing this post, our signed application is only available for testers on https://new.embeetle.com
It will be available soon on our public website https://embeetle.com as well - but not yet today.