what they’re seeing is Microsoft’s security system in action.
Unfortunately, unlike macOS, Microsoft doesn’t currently have a notarisation process. This means that before I can properly sign a new macOS release, I first have to send it to Apple so they can verify it (by running it through various automated security and verification processes) and if they’re happy, they stamp it as ok and send it back. I’m then able to release it to the public.
Microsoft have another approach. I sign the installer which guarantees that I created the app and also that it hasn’t been modified. v3.2.1 is the first time I’m able to do this, so this is a significant improvement on previous releases which were prone to so-called ‘man-in-the-middle’ attacks where someone makes a dodgy version of Sonic Pi and pretends its mine. By signing it, the users are guaranteed that the app they downloaded is by me and nobody can have tampered with it.
However, this is all the signing guarantees. It doesn’t guarantee that I’ve not added dodgy stuff inside myself before signing. This is the kind of thing that Apple automatically check for in their notarisation process.
Instead, Microsoft appear to maintain a whitelist of all URLs that link to apps. If your URL isn’t on that list, then you get that warning.
It can take a few days for Microsoft to add you to the list. I’ve filled in a form which hopefully should have sped that process up - but if people are still seeing it, it suggests that their system is struggling to keep up. Typically it should take 2 days and I submitted it on Monday. I guess the world crisis going on right now isn’t helping.
In terms of a short explanation, you could say something like this to those concerned:
The warning you are seeing is because this version of Sonic Pi is a brand new release, and all Microsoft is doing is letting you know that it can see that it hasn’t been downloaded much yet. (It’s not yet as popular as Zoom!) For those concerned, it’s important to note that v3.2.1 of Sonic Pi is cryptographically signed and therefore guaranteed not to have been tampered with.
Hope that this helps! Happy to answer any further questions