Windows Security Warning Explained

Why Windows Shows a Warning When You Install My Software

When you download one of my Windows installers, you may see a message such as:

“Windows protected your PC” Publisher: Unknown

This appears because the installer is not signed with a commercial code-signing certificate.  Microsoft uses these certificates to verify the identity of software publishers and to decide whether an application is “trusted”.

What a Code-Signing Certificate Is

A code-signing certificate is a digital ID issued by a trusted authority (for example, DigiCert, Sectigo or GlobalSign).  It allows developers to sign their applications so that Windows can confirm who created them and whether they’ve been tampered with.

When an installer is signed with such a certificate:

  • Windows shows the verified publisher name.
  • The “Unknown publisher” message disappears.
  • SmartScreen reputation may improve over time.

However, these certificates are expensive and renewed annually, which makes them impractical for small or non-commercial projects.

Why My Installers Are Unsigned

I build and maintain these tools independently.  The cost and administrative overhead of commercial certificates (€190–500 annually at least) makes them impractical for small non-commercial projects.  This means my installers are technically “untrusted” by Windows, even though they are safe if downloaded directly from my official website.

What About Self-Signed Certificates?

Some developers use self-signed certificates to sign their installers.  I don’t, because I’ve come to the conclusion they are only pointless theatre.

A self-signed certificate:

  • Still triggers the same Windows SmartScreen warning
  • Offers no trust benefit unless users manually install the certificate (which they probably won’t and shouldn’t)
  • Adds complexity to the build process without improving security

The only way to eliminate the warning is to purchase a commercial certificate from a trusted authority.

Instead, I provide SHA256 checksums on each download page and in the app documentation (useful if you receive an installer supposedly from me, but from another source).  These allow you to verify that the file you downloaded matches exactly what I published, without pretending to offer trust that Windows won’t recognise anyway.

What About MSIX Installers?

MSIX is a modern Windows packaging format designed primarily for Microsoft Store distribution.  Unlike traditional installers, MSIX packages must be signed to install at all – they won’t run unsigned.

I don’t use MSIX because:

  • It requires the same expensive commercial certificate to be useful for public distribution
  • Self-signed MSIX packages require users to manually install your certificate before installation (even worse UX than traditional installers)
  • It’s designed for Store distribution or enterprise environments, not independent software distribution
  • Traditional installers offer more flexibility and broader compatibility

MSIX doesn’t solve the certificate cost problem – it just makes unsigned distribution impossible rather than merely warned about.

How to Decide Whether to Install

You should only install my software if you trust its source.

  • If you know me and trust that my work, you can safely continue with the installation by clicking More info → Run anyway.
  • If you do not trust me, or recognise the source, don’t install it.  It is always right to err on the side of caution.

For Technical Users

Each installer can be verified using SHA256 checksums, published on the download page.

SmartScreen and antivirus tools may still flag the installer until sufficient reputation is built or a commercial certificate is added.

How to Verify SHA256 Checksums

If you want to verify that a downloaded installer hasn’t been tampered with, you can check its SHA256 checksum against the one I publish on the download page.  Be sure to unzip the installer first as the checksum is based on the exe and not the zip.

Using PowerShell:

  1. Open PowerShell
  2. Navigate to your Downloads folder or wherever you saved the installer
  3. Run: Get-FileHash "InstallerName.exe" -Algorithm SHA256
  4. Compare the hash output with the checksum published on the download page – they must match exactly

Using Command Prompt:

  1. Open Command Prompt
  2. Navigate to your Downloads folder
  3. Run: certutil -hashfile "InstallerName.exe" SHA256
  4. Compare the hash output with the published checksum

Using the RWS OpenX Hash Generator:

  1. This app is available through the RWS AppStore – https://appstore.rws.com/Plugin/50
  2. There is a multifarious article on this tool for an explanation – https://multifarious.filkin.com/2014/01/10/openx_security/
  3. Essentially it’s just a tool that provides a nice wrapper around the command line approaches above

If the checksums don’t match, don’t install the file – it may have been corrupted or tampered with.

In Summary

  • Windows warnings are expected because no commercial certificate is used.
  • Self-signed certificates and MSIX packaging don’t solve this problem for independent developers.
  • The software is safe only if you obtained it directly from my official site.
  • Use the SHA256 checksums to verify file integrity if you have any doubts.
  • If you are unsure, do not install it.
  • Transparency and caution protect both of us.