Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Publishing a game on itch.io

Discussion in 'General Discussion' started by Sibic, Sep 25, 2022.

Thread Status:
Not open for further replies.
  1. Sibic

    Sibic

    Joined:
    Aug 12, 2015
    Posts:
    5
    So when I publish a game on itch.io and then download the game I get a window's protection message saying potential threat and all that. I did some research and found a few reasons why it does this. It does this because Windows 10 apparently dislikes any software not signed with a cryptographic certificate, or that's what I've collected from post on the subject. I did some research and I guess you suppose to buy it from a certificate provider, or Microsoft.

    I post this information because I think it's something important to know when publishing a game and if anyone knows a way I can either make a license or get around this window protection message I hope they would share this.
     
  2. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,083
    This doesn't have anything to do with itch.io and, frankly, shouldn't be happening with anything you're building with Unity.
     
  3. Sibic

    Sibic

    Joined:
    Aug 12, 2015
    Posts:
    5
    So do you have any theories on why I get a windows protection window when downloading my own game? Or is this just telling me I'm doing it wrong without explaining to me why I'm doing it wrong?
     
  4. Antypodish

    Antypodish

    Joined:
    Apr 29, 2014
    Posts:
    10,754
    Windows doesn't care what you downloading. Even for own files.
    Thing is, you download executable files.
    Your system detects that you download executable files, and warns you.
    For your system these are new files. Not copies of original files.
    Even in some special cases, when building new game, OS can prompt you with security warning.
    That depending on your project libraries set.
     
    Socrates likes this.
  5. Sibic

    Sibic

    Joined:
    Aug 12, 2015
    Posts:
    5
    But how would you stop this security prompt from coming up for other people who download your game from a marketplace? Would I be building my game incorrectly, the game folder has an executable, dl, data folder, and a mono_bleeding edge folder. Then I put it in a compressed zip and publish it.
     
  6. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,554
    You don't stop it.
     
  7. Sibic

    Sibic

    Joined:
    Aug 12, 2015
    Posts:
    5
    So then why is it that when I download an indie game from elsewhere this message does not come up? I have downloaded indie games that give me this message besides mine, but others indie games won't show this message.
     
  8. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,616
    You need to get the security system to recognise your executable as safe. That's deliberately expensive and/or time consuming, because if it was easy to do then every malware writer would just do it (and I bet big ones do!).

    I've definitely seen it before.
     
  9. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,083
    Tell me where I said "doesn't"
     
  10. Sibic

    Sibic

    Joined:
    Aug 12, 2015
    Posts:
    5
    I looked up where to get an SSL, which is the license that says your software is trusted. It is definitely expensive, I'll just deal with it for now and hope people ignore the message.
     
  11. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,083
    An SSL certificate is for websites.
     
  12. DragonCoder

    DragonCoder

    Joined:
    Jul 3, 2015
    Posts:
    1,677
    As far as I know, it does not matter what Software something is made with. Would be rather silly if the security mechanism would recognize everything made with Unity as safe since you can make harmful stuff with it, if you want to.

    As far as I have read up on this topic once, you either can get a certificate - there are companies offering that (haven't quite found out how you get it from MS directly, if possible) for roughly 1000$ every two years or something.

    Alternatively, MS will deem software as safe after a certain number of uses on computers which which do not have most of MS home-calling features disabled. No idea what the number of downloads has to be, but that is likely why you do not encounter it on many indie games.

    The principle is very similar. Here it's called "Code Signing Certificate".

    EDIT: This site dramatizes it a bit as they do sell that service, but they do explain the matter: https://codesigningstore.com/what-is-an-unknown-publisher-warning
     
    Last edited: Sep 26, 2022
  13. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    10,083
    It doesn't matter if "the principle is very similar" if they buy an SSL cert and think that will solve their problem.
     
  14. DragonCoder

    DragonCoder

    Joined:
    Jul 3, 2015
    Posts:
    1,677
    You could quickly and honest explain it where you offer the download link. Something along the lines of:
    "Note: Windows may warn you of an "Untrusted Publisher" of this software. That's because I cannot afford an official certificate yet, being an indie dev."

    Fairly sure they had found the right thing (especially since they said it's expensive which certificates for websites are not), but yeah, better to go sure :)


    EDIT: just looked that up, my memory of 1000$ per two years was spot on. Kinda ridiculous that this is the same price range as a Unity Pro membership which is a whole software and support, while certificates are just a simple authentification service which probably costs just a few bucks to run per user >_>
    MS got some money making scheme out there, lol.
     
  15. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    20,965
    Microsoft SmartScreen is a reputation-based system but it only allows you to start gaining reputation if you sign your application with a standard (or regular) code signing certificate. Once signed reputation will build up and after a certain amount has been accumulated the popup will no longer appear. This certificate is about $100/yr USD.

    If you want to completely bypass the reputation building though you can go with an EV (Extended Validation) code signing certificate. Aside from being much more expensive ($300/yr USD) it requires the CA (Code Authority) to perform a more thorough validation.

    https://security.stackexchange.com/...ite-i-signed-the-executable-why/139520#139520
     
    Last edited: Sep 26, 2022
    angrypenguin and DragonCoder like this.
  16. DragonCoder

    DragonCoder

    Joined:
    Jul 3, 2015
    Posts:
    1,677
    That's really how it is?
    I would have expected all this to be a way bigger topic in Indie communities then but it's hard to find information about this kind of certificates in general albeit usually I do not see that popup.

    Happen to have some sources? Especially where to buy that cheaper/basic variant, since so far I only found the pricier variant.
     
  17. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    20,965
    DragonCoder likes this.
  18. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,616
    Tell me where I said you did. :p

    In any case, why "shouldn't" it?

    I understand that Unity's provided executables are probably "recognised" by the system, but they load DLLs which won't be. I don't know if that trips up the system. Ideally it probably should, but that'd be quite difficult to reliably detect at load time alone.
     
    SunnySunshine likes this.
  19. kdgalla

    kdgalla

    Joined:
    Mar 15, 2013
    Posts:
    4,616
    If it makes you feel any better, I have AVG and it warns me about every Steam game in my library. :D
     
Thread Status:
Not open for further replies.