Look into code signing

[Pathoschild]

Consider code-signing SMAPI releases to reduce antivirus false positives.

[Pathoschild]

Ideally SMAPI should use a code-signing certificate that Linux/Mac/Windows will recognise by default, and isn't too expensive. Some options:

• Certum open-source certificates (€28.00/year)
• Comodo certificates via KSoftware ($84/year)

[Pathoschild]

I'll go with KSoftware. A quick review of the main candidates per discussion with @vaindil:

• DigiCert is 'as low as' $178/year, which is pretty expensive. They allow unlimited reissues, but that's not necessary since I have careful backups.
• Certum is only €28.00/year (plus one-time kit purchase), but it's tied to a physical device which I'd rather not manage.
• KSoftware is $84/year, with discounts for longer terms. Pricier than Certum, but no physical device to manage. They have good reviews online.

Note that this only applies to Windows. Linux is generally opposed to code signing (see [1] [2] [3]). Mac has code signing, but it doesn't seem to have much relevance (and I'd need to figure out how to do it from Linux).

[Pathoschild]

Certificate ordered from KSoftware, pending verification from Comodo.