IIRC 7-Zip has explicitly decided not go get signed. It doesn’t help all that much anyway, SmartScreen still catches your application and nags the user.
Unfortunately, I cannot seem to find any reference, so I might remember it wrong or it wasn’t about 7-Zip or whatever. The thing with SmartScreen is (unfortunately) still true.
I wonder what do you mean by "not useful"? They just have to participate in the reputation system, but that's an issue only when the certificate is young.
Here's an excerpt from MSDN:
> Detractors may claim that SmartScreen is “forcing” developers to spend money on
certificates. It should be stressed that EV code signing certificates are not required
to build or maintain reputation with SmartScreen. Files signed with standard code
signing certificates and even unsigned files continue to build reputation as they
have since Application Reputation was introduced in IE9 last year. However, the
presence of an EV code signing certificate is a strong indicator that the file was
signed by an entity that has passed a rigorous validation process and was signed
with hardware which allows our systems to establish reputation for that entity more
quickly than unsigned or non-EV code signed programs.
I didn’t say “not useful”. Clearly they’re useful. I said non-EV certs “aren’t as useful”. Which is just a fact (as evidenced by the Smart Screen “reputation boost” that EV certs get).
I already read that blog post. I’m person that linked to it in the forum post.
However, isn’t getting an EV certificate impossible for a natural person? You’d have to be some sort of legally recognized organization. Not exactly suitable for small-scale Open Source development.
KeePass: This isn’t an EV certificate (has only OID 2.23.140.1.4). Certum also clearly states, topmost on the description of how to get an EV Code Signing certificate:
> We do not issue EV Code Signing certificates to natural persons!
Yarn: Not an EV certificate either: "Organizationally validated certificates used to sign standard objects." (2.16.840.1.114412.3.1 in addition to 2.23.140.1.4.1).
> It doesn’t help all that much anyway, SmartScreen still catches your application and nags the user.
Windows 10, in the default configuration, won't let you install unsigned applications at all. It might "nag" early downloaders when a certificate is present but you can override that (and the nagging stops eventually due to popularity).
But more importantly, if the site were ever compromised, it makes it easier to spot if a compromised binary is posted. Since hopefully the bad guy wouldn't have the code signing certificate. Right now the official binary looks like a compromised version.
When I was just installing it now (this post reminded me that I hadn't updated it recently) I was put off by the lack of publisher in the installer and went back to double-check it was the official version. It's really off-putting seeing "publisher: unknown" when installing and my immediate reaction was, "wait, did I install it from the legit site?".
Unfortunately, I cannot seem to find any reference, so I might remember it wrong or it wasn’t about 7-Zip or whatever. The thing with SmartScreen is (unfortunately) still true.