So when I publish a game on itch.io and then download the game I get a window’s protection message saying potential threat and all that. I did some research and found a few reasons why it does this. It does this because Windows 10 apparently dislikes any software not signed with a cryptographic certificate, or that’s what I’ve collected from post on the subject. I did some research and I guess you suppose to buy it from a certificate provider, or Microsoft.
I post this information because I think it’s something important to know when publishing a game and if anyone knows a way I can either make a license or get around this window protection message I hope they would share this.
So do you have any theories on why I get a windows protection window when downloading my own game? Or is this just telling me I’m doing it wrong without explaining to me why I’m doing it wrong?
Windows doesn’t care what you downloading. Even for own files.
Thing is, you download executable files.
Your system detects that you download executable files, and warns you.
For your system these are new files. Not copies of original files.
Even in some special cases, when building new game, OS can prompt you with security warning.
That depending on your project libraries set.
But how would you stop this security prompt from coming up for other people who download your game from a marketplace? Would I be building my game incorrectly, the game folder has an executable, dl, data folder, and a mono_bleeding edge folder. Then I put it in a compressed zip and publish it.
So then why is it that when I download an indie game from elsewhere this message does not come up? I have downloaded indie games that give me this message besides mine, but others indie games won’t show this message.
You need to get the security system to recognise your executable as safe. That’s deliberately expensive and/or time consuming, because if it was easy to do then every malware writer would just do it (and I bet big ones do!).
I looked up where to get an SSL, which is the license that says your software is trusted. It is definitely expensive, I’ll just deal with it for now and hope people ignore the message.
As far as I know, it does not matter what Software something is made with. Would be rather silly if the security mechanism would recognize everything made with Unity as safe since you can make harmful stuff with it, if you want to.
As far as I have read up on this topic once, you either can get a certificate - there are companies offering that (haven’t quite found out how you get it from MS directly, if possible) for roughly 1000$ every two years or something.
Alternatively, MS will deem software as safe after a certain number of uses on computers which which do not have most of MS home-calling features disabled. No idea what the number of downloads has to be, but that is likely why you do not encounter it on many indie games.
The principle is very similar. Here it’s called “Code Signing Certificate”.
You could quickly and honest explain it where you offer the download link. Something along the lines of:
“Note: Windows may warn you of an “Untrusted Publisher” of this software. That’s because I cannot afford an official certificate yet, being an indie dev.”
Fairly sure they had found the right thing (especially since they said it’s expensive which certificates for websites are not), but yeah, better to go sure
EDIT: just looked that up, my memory of 1000$ per two years was spot on. Kinda ridiculous that this is the same price range as a Unity Pro membership which is a whole software and support, while certificates are just a simple authentification service which probably costs just a few bucks to run per user >_>
MS got some money making scheme out there, lol.
Microsoft SmartScreen is a reputation-based system but it only allows you to start gaining reputation if you sign your application with a standard (or regular) code signing certificate. Once signed reputation will build up and after a certain amount has been accumulated the popup will no longer appear. This certificate is about $100/yr USD.
If you want to completely bypass the reputation building though you can go with an EV (Extended Validation) code signing certificate. Aside from being much more expensive ($300/yr USD) it requires the CA (Code Authority) to perform a more thorough validation.
That’s really how it is?
I would have expected all this to be a way bigger topic in Indie communities then but it’s hard to find information about this kind of certificates in general albeit usually I do not see that popup.
Happen to have some sources? Especially where to buy that cheaper/basic variant, since so far I only found the pricier variant.
I understand that Unity’s provided executables are probably “recognised” by the system, but they load DLLs which won’t be. I don’t know if that trips up the system. Ideally it probably should, but that’d be quite difficult to reliably detect at load time alone.