We're happy to share that ngrok's Windows executables are now signed with a DigiCert Extended Validation (EV) code signing certificate, replacing the standard (OV) certificate we've used up to this point.
Microsoft Defender SmartScreen uses a reputation-based system to decide whether to warn users about an executable, and one of the key signals it looks at is how the binary was signed.
Standard OV certificates need to build up reputation over time. Defender tracks reputation at the certificate level, so once a cert is established, things generally work but Defender's behavior can still be unpredictable even with an established OV cert.
EV certificates, on the other hand, establish an immediate reputation with Defender. The extended validation process involves stricter identity verification of the publishing organization and requires the signing key to be stored securely with FIPS 140-2 level 3 compliant hardware. In return, Microsoft grants EV-signed binaries immediate trust. That means no more Windows Defender warnings when you download a fresh ngrok release (we hope 🤞).
For most of you, the change is invisible in the best possible way—things just work more smoothly now.
You can inspect the signature yourself by right-clicking ngrok.exe → Properties
→ Digital Signatures. You'll see the signer listed as ngrok, Inc. with a
DigiCert EV certificate in the chain.
Alternatively, from PowerShell:
powershell
Get-AuthenticodeSignature .\ngrok.exe | Format-ListYou should see a valid signature with StatusMessage: Signature verified and
the certificate subject referencing ngrok, Inc.
This is a small but meaningful improvement to the ngrok download experience on Windows. No action is needed on your part—just enjoy fewer warnings and a smoother setup. If you run into any issues with the new signature, please let us know at support@ngrok.com. For any other feedback about your ngrok-on-Windows experience, we'd love to hear about it on Discord.