[ksm]

We have been bitten with this one, multiple times now over the years but seems to have gotten worse.

Our otherwise SaaS product requires an installable component for our customers PCs, from installation package (MSI and/or EXE) that we generate on the fly per customer -basis in order to customize data inside the installer for each tenant. For this reason, the timestamping of digital signature varies between packages as does the hash [of the content], and for _months_ after we have renewed our signing certificate we get support messages about both Smart Screen "scary warnings" as well as from some AV products as well. Despite number of downloads for runs for the package(s) signed with one and the same signature.

As the article mentions, it does not matter if you have had previous certificate; each renewal (=new certificate technically) starts this reputation process from zero. What's worse, since the signing happens on the [Windows] server as part of the product itself we really cannot use EV certificates either as those require physical USB dongles to be attached to machine doing the signing.. so we are left only with option of using regular certificate that gets this treatment. Sure, 10 year certificate would postpone the issue for a long time, but for security purposes we actually want to recycle those signing certificates with one to two year interval so the problem always resurfaces regularly.