I create desktop apps and update them fairly frequently with new features. I sign the setup and all included files with an EV Code Signing certificate.
The problem that I have is that when I release a new version, browsers warn the user that the setup file is “not commonly downloaded and may be dangerous”. This warning disappears after a while, once enough users have downloaded the new version, however the first ‘x’ number of users (hey Google and Microsoft, what’s the value of ‘x’???) see the warning message.
In addition, although I test all files with VirusTotal to ensure that no users see any false positives, there seems to be some anti-virus vendors (McAfee’s enterprise products, not their consumer products, and Avast) sometimes display a false positive to users, even though the versions of their products on VirusTotal don’t flag any issues.
McAfee and Avast want me to send files to them for whitelisting every time a new version is published, but their approval process takes a few days, so this is really sub-optimal.
An approach I’ve been contemplating is to create a thin installer that never changes but instead downloads the latest files from the website every time it runs. This means that the version will remain stable.
Has anyone used this approach? Any tools to recommend? Anything else to keep in mind?
An MSI installer is preferable, but I’m open to all suggestions or alternative solutions - thanks!