Comment by electroly
10 hours ago
Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.
I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.
It’s become neigh impossible to get your own code signing cert these days. The 2025 update from the CA forum required code signing certs to be short lived (no more three or five year certs) and stored exclusively on an HSM. As a result, most companies cross-signing these certs have moved to a subscription PaaS model where you are issued a cert but never receive custody of it, and perform signing via their APIs, and are at their mercy should they decide to block your account.
Anyway, even if you could get your own cert it would be same thing: MS could revoke or blacklist your indicate cert (though usually the grounds for doing so are much less shaky than your account being suspended for vague “tos violations”)
I was afraid of the HSM at first but for an open source developer (rather than a big company) I found it wasn't a big deal. I can't sign in GitHub Actions and I have a USB stick that lights up when I sign releases, but it hasn't been a blocker. I got mine from Sectigo Store. This isn't hypothetical, I really did it, I've got the HSM, it works. It wasn't difficult. It just cost some money and a little bit of time. "Nigh impossible" is a tremendous exaggeration. I'll concede "annoying and expensive" perhaps. If you've got the money, you can get the HSM. You don't have to re-buy the HSM when you renew your certificate.
The Microsoft Store account was painful to set up, I'll note. My developer account had also been cancelled by Microsoft for unknown reasons, and I ultimately had to set up a brand new one. New email, new name. My new account has my middle initial because I couldn't clash with the existing, closed account. My first and last name alone are banished forever from the store.
The "same thing", as you concede, isn't the same thing. Quantity has a quality of its own: one happens all the time and we're reading an article about it happening right now. In the comments there's another prominent maintainer who it happened to, and it happened to me personally! That's three right here! The other happens so infrequently that people in this same HN thread are complaining that it isn't happening enough. Can you find an example that's like Veracrypt and WireGuard? In practice, it seems they rarely do this, even when they should. You can actually view the list under "Manage computer certificates" > "Untrusted Certificates." On my computer the entire list is 20 certificates.
I'm standing by my suggestion, 100%. These aren't equivalent risks at all.
Thanks for sharing your experience. I have been code signing releases for over a decade as an indie publisher myself, until I found myself effectively iced out by the HSM requirement, the increased cost, and the shortened cert lifetimes, which, as someone with certain executive order dysfunctions, I already had a hard time being on top of with the old (multi-year) lifetimes.
I just migrated to MS artifact signing and, thank the lord, had an actually easier time getting verified than I did with the Sectigo and Comodo in the past. I’m sure I’m not representative of anyone else’s experience but having already had a developer account (with a different email and without an Azure account!) that I had already been using for the Microsoft Store might have helped, as well as the fact that I had a well-established business history (I’ve heard businesses younger than 3 years can’t get verified??), but reading all the comments here makes me very uneasy about the future.
It’s good to know the HSM route isn’t a complete non-starter. The main reason I panned it is that when I started looking into this I found that a number of companies that had previously offered the HSM route had done a bait and switch and were now keeping custody unless you were big enterprise (meaning willing to put up with 10k/yr fees). I did find a few that would allow OSS devs to sign their work, but read horror stories on Reddit and elsewhere about their freezing the account and issuing no refunds if you ask them to issue the cert in the name of your LLC or corporation instead of with your personal name (which I expressly did not want). Also, they actually were more expensive than Azure artifact signing even after the HSM cost was taken out.
2 replies →
Yep. OS level stores are just way for the org to exercise control over installs.
I have stay far away from that process for a long time. Apple MacOS seems like the worst in that department IMHO.
what do you mean? mac doesn't require the use of the store at all, or even an apple id to use your computer
I have found that MS still blocks my signed and timestamped .msi files for at least a few days. From saving the downloads in Edge and then via Smartscreen once you get it downloaded.
If I submit it manually for every update it tends to go better. If more people download and install it whitelists faster. But that is highly annoying, orwellian bullshit. Might even be anti-competitive or downright illegal.
I see the same behavior with my MSIs. I've had better luck with my MSIXs. As much as I like being Store-free, I have a June 2025 release of an MSI-based app that still gets dinged by Edge and again by SmartScreen. A different MSIX-based app, with almost no users, gets dinged by Edge but not by SmartScreen. It's the same certificate. I can never be sure what other users are seeing, though.
tbh, I thought that I had built enough reputation on this particular MSI release, until testing it just now. Hate to see it :(
Yeah, same here. It's a black box. Nobody knows how it works or what you can do to make it hassle free.
MS went from "developers, developers, developers" to being a nightmare for everyone involved.
I actually liked Visual Studio 6 and the old MSDN. Now I only wish they were gone.
Thank you for that. Although it may be unlikely, I'd love to see a mass exodus away from their failed attempt to emulate all the worst aspects of appstores popularized in other platforms.
I grew up being able to download software and install it, and actually prefer that model (relying on reputational trust of the party publishing it, my own verification from other signals researched, or sandboxing techniques where appropriate).
Most users may not be aware, but a rare gem of a version of Windows that refreshingly doesn't even come with the store (or a bunch of the other unwanted bloat) is IoT Enterprise LTSC.
As a lifelong Windows user, the premise of Microsoft controlling what goes on my PC is revolting. I'm buying a tool from them, not a set of handcuffs. If it was some non-profit, open-source group running the store I might be more inclined to trust it. But ultimately the only gatekeeper on a product I own should be me. Otherwise I don't really own it, which leads to problems like this one.