I’m trying to figure this out and it seems expensive.

Getting proper code signing certificates for Windows EXE installers costs real money - the kind of money that makes you pause and think about whether it’s worth it for a side project.

The cheaper and easier route seems to be using the Windows Store, but I don’t want to be locked into the store ecosystem: I want people to be able to download a binary from a website and run it without Windows Defender freaking out. I’ve not actually looked into if this “store” option is Store UI only or if I can get a binary from that but I assume the latter.

This is specifically for VidPare-Win, the Windows version of my video processing tool. It’s not a super pressing issue currently as I’m concentrating on the OSX version first. But it’s another thing on my backlog to figure out at some point…

Code Signing — Options & Tradeoffs

⚠️ Warning: This section was generated by Claude and I haven’t had a chance to properly validate it yet. Take it with a grain of salt until I do!
ℹ️ Info: Funnily enough Coderabbit caught some of the mistakes from Claude’s investigation in it’s review of this post in the PR (See this review comment)… so maybe it’s not as expensive as I thought… one for another time of investigation.

Option A: Self-Signed Certificate (dev/testing only)

Free and instant. Not trusted by other machines without manual setup — not suitable for public distribution.

# Create the cert (Subject must match manifest Publisher exactly)
$cert = New-SelfSignedCertificate `
  -Type Custom `
  -Subject "CN=VidPare Dev, O=VidPare, C=US" `
  -KeyUsage DigitalSignature `
  -FriendlyName "VidPare Dev Signing" `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}Subject Type=End Entity")

# Export to PFX for build tooling
Export-PfxCertificate -cert $cert -FilePath VidPare.pfx `
  -Password (ConvertTo-SecureString "<YOUR_PASSWORD>" -Force -AsPlainText)

# Get thumbprint for csproj
$cert.Thumbprint

To install on a test machine: right-click the .msix > Properties > Digital Signatures > View Certificate > Install to Local Machine > Trusted Root Certification Authorities (requires admin), then double-click the .msix.

Never commit the .pfx to git. Add *.pfx to .gitignore.

Option B: Commercial Code Signing Certificate (public distribution)

Since June 2023, all OV and EV certificates must be stored on a hardware token or cloud HSM — no software PFX for public certs anymore. EV certs are trusted by Windows SmartScreen immediately; OV certs build reputation over time.

Vendor OV (~annual) EV (~annual)
SSL.com ~$65/yr ~$349/yr
Sectigo ~$715/yr ~$829/yr
DigiCert ~$696/yr ($44/mo) ~$972/yr ($62/mo)

These are estimates as of April 2026 — prices vary by duration, reseller, and storage method (token/HSM/cloud). Check the vendor links above for current rates.

For CI/CD with a commercial cert, use Azure Key Vault (store the cert there, sign with AzureSignTool in the pipeline — no physical USB token in CI).

Option C: Microsoft Store (Microsoft signs for you)

  • Free registration for individual accounts, ~$99 USD for company accounts (varies by region).
  • Microsoft assigns you a Publisher identity — you must update the manifest to match it.
  • You sign your upload with any cert (even self-signed), Microsoft re-signs before delivery.
  • Users see a Microsoft-signed package; no SmartScreen issues.
  • Downside: up to 3 business days certification review (often faster), Store policies apply, 15% revenue share on paid apps.