About
{Update] This will help with this problem, but on further research the only way to have your application fully signed and trusted by Windows is to use a third party certification authority. This is expensive and out of reach for a lot of us making games as a hobby. The process outlined here will help your games eventually become trusted, and appears to be a good practice to do, but it seems like a lottery as Microsoft may eventually trust your game if you get enough downloads and people running it. I think that if we are really going to be able to move forwards in our own developer stories, that there needs to be an accessible solution for this problem that would allow us to get our games "signed" so that they can be trusted by Windows and therefore trusted as safe to play by any of our players.
When building my game for the GameDev.tv Game Jam 2024, and trying out others, I noticed my antivirus software kept considering my game and others as potential malware. And in some cases it wouldn't even let me run a game.
While a simple fix for this is to turn off antivirus scanning, this isn't really a safe option these days.
On researching this problem I found that it was because when Godot was compiling my game, the software wasn't being "signed" in a way that Windows, or the antivirus software, could recognise that the software was safe to run.
The fix for this is, on a Windows system used to build your games, is to install the Windows Software Development Kit (SDK) for your version of Windows and point your game engine (Godot in my case) to a tool called "signtool.exe" installed with the SDK.
Once set up, provided your project details are set up in the Export window to include who is publishing the software, the game engine will then "sign" the software when it is compiled, making it less likely that your game will be flagged by antivirus software.
I'm presently unsure if this process needs to be set up in other game engines, but if it can, it should mean more people can play your game without worrying about whether or not your game contains a virus.
Instructions for Godot (v4.x)
The following steps are for setting up the Godot game engine with the "signtool" for your version of Windows.
If anyone knows if this needs to be done for Unity and Unreal games, please comment below to let me know. If you can provide some instructions on setting this up in the engines as well, I can add them to this post.
I also know the instructions are a bit different for building games on a Linux OS, so if you set up some instructions, you can link it in the comments or I can add it to the post.
Did you like this post? Tell us
Leave a comment
Log in with your itch.io account to leave a comment.
I think the real solution is that itch signs the exe, like steam does.
Or provides a service where we can upload the executable for signing.
Apologies for the long response, and thanks for the comment.
I think that would be a great solution.
While I've not yet gone through the steam process, I'm aware of what you describe.
The 2 big problems for itch I can see in implementing this style of solution is that to register a signed piece of software is quite expensive generally, and that itch would need to be able to introduce a system for reviewing games to ensure that, as much as possible, only "safe" games are then given the right to use itch's certification.
Without considering these points, there would be a lot of risk to itch if people misuse any offering.
At the moment, itch is essentially a free marketplace for both learning and independent developers. For itch to be able to implement a solution to this might mean they would need to change their approach to be able to fund such a solution.
My personal opinion is that there needs to be a more affordable approach to certifying software, whether it is through itch or the companies that manage the registers of signed software, because at the moment genuine hobby developers are priced out of the market and have to rely on trust at a personal level for others to use the software we create.
For example, I'm a UK based hobby developer with no savings and a low income job, the cost of uploading a game to steam, while not prohibitive, is enough that I would only be willing to do it if I make a game that I think will really have potential. The cost of signing the software myself however is too expensive for me to even consider it as a viable option right now. This leaves me stuck with a situation of needing people to be able to play and pay for my games for me to be able to invest in signing the software as appropriate, but people will generally not pay for software that is not signed as the host system will view it as a security risk, regardless of the actual behaviour of the software, preventing me from getting people to play my games as downloaded software as there is no trust or reputation.
Itch just has to require one payment on the itch account, that way someone signs a virus they have an address to give the authorities and it becomes the card/banks problem.
Thinking about this more, itch should absolutely make a verified badge for all accounts that made a purchase with a card in their proper name. That way you can trust the download!!!
I'm proposing it... it's a no brainer!!!
Thanks so much for taking the time to post this! I have followed these steps. However, windows still flags it on my partners PC. Googling seems to indicate you actually need to buy a signature license for Windows to actually recognise it. Note: I'm Win10 and she is Win11. Maybe Win11 is more vocal with it as they are trying to be more "secure"?
This situation seems a lot more complicated than just using the sign tool.
On further reading it appears as though, as you say, to have your game trusted automatically by Windows, you need to subscribe to a third party certification authority. Doing this though is rather expensive and I imagine most of us (including myself) cannot afford to do this, there also appears to be no reasonable or accessible alternative on a Windows system for this.
Using the sign tool is still a good step as it does "sign" the application for your Windows install, and apparently, if this is done and the application gets enough downloads, Microsoft may eventually consider the application as "safe".
It's quite annoying that there isn't a good solution to this problem for Windows. I will update the post to reflect this.
I think there needs to be some kind of option for this that is accessible to small developers.
I 100% agree with what you just said. It would be nice if engines themselves are allowed to be recognised by windows if going through the engines export or something. Kinda rough... Ah well! It is better, as you say, to do it!!! It wasn't until signing it this way that I noticed it defaults to copyright under someone else's name (i had specified copyright before but i guess it doesnt sign it), so either way this is a good thing to be doing ^.^