Charles Fang Yu
VoxPop is not malware: Microsoft Authenticode, and how it’s screwing us.
Updated: Aug 25, 2020
Hey everyone, as many of you may have experienced yourself, Windows flags VoxPop as a potentially risky file. When installing, you may get a warning that VoxPop is potentially Malware.
VoxPop is not malware: the issue is just that we aren’t registered with Microsoft Authenticode. We are, of course, well aware of the issue, and have been doing everything we can to resolve the problem. Unfortunately, much like bashing our faces into a brick wall, instead of a path forward, we’ve mostly ended up frustrated and concussed.
Still, we figured the least we could do is explain the situation.
WHAT IS AUTHENTICODE?
In order for your program to be whitelisted as safe on Windows, you need something called a Code Signing certificate. A Code Signing certificate gives your company a fingerprint, and allows Microsoft to track certain data related to it.
Specifically, Microsoft wants to know how many times that your program has been downloaded and installed. If enough people download and install your program, and none of them report problems, then you’ll be authenticated and thus whitelisted.
Sounds reasonable right? So what’s the program?
Well, the problem is that all the details of the Authenticode program are kept secret!
How many downloads do we need to get verified? No idea. What other variables is Microsoft trying to consider? No idea. Are they even receiving our data right now, or is something about the cert been implemented wrong? NO IDEA.
Meanwhile, because we aren’t whitelisted, Windows flags us as potential malware and ultimately many people are dissuaded from downloading and installing. It’s a negative feedback loop.
We at VoxPop have exactly 0 insight into the whitelisting process, and believe me, it makes us every bit as frustrated as you.
CAN YOU GET AROUND AUTHENTICODE?
The short answer is, no.
We were sold a lot of solutions of course. The most prominent solution was an EV Code Signing certificate. A lot of online articles helpfully informed us that this Extended Validation certificate would give us instant whitelist status, as opposed to forcing us to.
Of course, the company we acquired that certificate from, DigiCert, helpfully informed us it was a myth.
Not only do you STILL have to build up your Authenticode reputation even with an EV Code Signing certificate, because the details of the Authenticode algorithm are a secret, nobody can even tell us HOW much an EV Code Signing certificate helps, if at all.
Worse, because getting a new cert requires getting a new ID, and thus a new hash, it would effectively wipe all of the trust we’ve built thus far. VoxPop would be starting from scratch.
The same company representative informed us as well that Microsoft once had a manual code review service, but that it has since been discontinued.
SO WHAT DOES THAT MEAN FOR VOXPOP?
For now? Nothing. And that’s the unfortunate part.
There’s nothing we can do to remove that warning, except hope that enough people install anyway that we can eventually convince Microsoft we’re okay.
However, the good news is, that also means nothing has changed about VoxPop’s mission.
We are still committed to pushing for a better future for streamers and indie devs. We are once again dedicating 100% of our time and resources into building the best platform we can, and reaching as many people as we can.
If you want to help, maybe download our latest client yourself, and spread the word. If you already have VoxPop installed, thank you for doing your part. With your help, we’re still going to shake this industry!