I ship an offline Windows tool and instead of paying for an EV certificate, I am experimenting with a detached verification model:
1. User downloads the .exe from GitHub Releases
2. User downloads verify.ps1 (60-line PowerShell script, zero dependencies)
3. User runs: .\verify.ps1 .\MyApp-Setup.exe
The verifier computes SHA-256 and checks against a hardcoded manifest. No network calls. No certificate chain.
The thesis: for technical users, this is higher trust than opaque SmartScreen telemetry.
Open questions:
- Does the verification step give users enough confidence to click through SmartScreen?
- Is there prior art for this in the Nix/Guix ecosystem?
- What is the minimum viable UX for hash verification?
Repo: https://github.com/Z3r0DayZion-install/hypersnatch
reply