Hi everyone,
I’d like to raise awareness about an issue affecting Sublime Text and Sublime Merge on modern Windows 11 systems. This concerns Smart Application Control (SAC) , SmartScreen , and other Microsoft security technologies that increasingly block or warn about unsigned applications — including Sublime’s installers and binaries.
This post is meant to help users understand why Sublime may not start or may show warnings, and to highlight why code‑signing is now essential for compatibility with Windows 11’s security model.
1. What users are seeing
On Windows 11 (especially on new devices), users may encounter:
- Sublime Text or Merge not launching at all
- SmartScreen showing “Unknown Publisher”
- SAC blocking the app with no option to run it
- Installers being flagged as untrusted
- Auto‑updates failing silently
These symptoms are confusing if you’re not familiar with Windows 11’s trust‑based execution model.
2. Why this happens (with Microsoft references)
Microsoft introduced Smart Application Control in Windows 11 22H2. SAC uses code‑signing, reputation, and AI‑based trust decisions to determine whether an application is allowed to run.
Smart Application Control (SAC)
Microsoft states:
-
“Smart App Control blocks untrusted or unsigned applications by default.” Source: Microsoft Learn — Smart App Control overview
https://learn.microsoft.com/windows/security/application-security/smart-app-control(learn.microsoft.com in Bing) -
“Smart App Control is only fully enabled on clean installations of Windows 11.” Source: SAC installation behavior
https://learn.microsoft.com/windows/security/application-security/smart-app-control#installation-behavior(learn.microsoft.com in Bing) -
“Unsigned applications are more likely to be blocked.” Source: SAC trust model
https://learn.microsoft.com/windows/security/application-security/smart-app-control#how-it-works(learn.microsoft.com in Bing)
Because Sublime Text and Sublime Merge installers and binaries are currently not digitally signed , Windows treats them as untrusted.
SmartScreen
SmartScreen also warns when an installer lacks a valid signature:
-
“SmartScreen identifies unrecognized apps and warns users when the publisher cannot be verified.” Source: SmartScreen overview
https://learn.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview(learn.microsoft.com in Bing)
Reputation‑based protection
Microsoft’s cloud reputation system (used by SAC and SmartScreen) relies heavily on code‑signing:
-
“Unsigned apps or apps with low reputation may be blocked or warned.” Source: Reputation-based protection
https://learn.microsoft.com/microsoft-365/security/defender-endpoint/reputation-based-protection(learn.microsoft.com in Bing)
Unsigned binaries accumulate negative reputation over time, making future blocks more likely.
3. Why this matters for SublimeHQ (developer‑focused section)
Windows 11 24H2 and 25H2 expand SAC and SmartScreen enforcement. This means:
- More users will see warnings or outright blocks
- Enterprise environments using WDAC or AppLocker may reject Sublime entirely
- Unsigned auto‑update binaries cannot be validated by Windows
- SAC cannot be disabled and re‑enabled without reinstalling Windows
- Unsigned binaries accumulate negative reputation in Microsoft’s cloud trust system
Windows Defender Application Control (WDAC)
Microsoft’s enterprise application control system requires signed binaries:
-
“WDAC policies rely on code integrity and require applications to be signed.” Source: WDAC overview
https://learn.microsoft.com/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview(learn.microsoft.com in Bing)
AppLocker
AppLocker also depends on signatures:
-
“Publisher rules require digitally signed files.” Source: AppLocker publisher rules
https://learn.microsoft.com/windows/security/application-security/application-control/applocker/understanding-applocker-rule-collections(learn.microsoft.com in Bing)
Microsoft security baselines
Microsoft’s Windows security baselines increasingly assume signed code:
-
“Applications should be digitally signed to ensure trust and compatibility with Windows security features.” Source: Code signing best practices
https://learn.microsoft.com/windows/win32/seccrypto/code-signing-best-practices(learn.microsoft.com in Bing)
Update integrity
Microsoft’s guidance for update mechanisms:
-
“Updates should be delivered over secure channels and validated using digital signatures.” Source: Secure update guidance
https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deployment-guide(learn.microsoft.com in Bing)
This directly affects Sublime Text’s auto‑update system.
4. What would help (actionable, reasonable requests)
To ensure Sublime Text and Sublime Merge continue to run smoothly on Windows 11, it would be extremely helpful if SublimeHQ could:
- Digitally sign the installers
- Digitally sign the application binaries
- Sign Package Control
- Add signing support for packages on packages.sublimetext.io
- Use a stable, long‑lived signing certificate to build Microsoft reputation
- Cross‑sign package signatures with an official SublimeHQ certificate
These steps align with Microsoft’s recommended practices and would eliminate SAC blocks, remove SmartScreen warnings, and improve trust and reliability for all users.
5. Invitation for other users to share their experience
If you’ve encountered SAC or SmartScreen warnings when installing or running Sublime Text or Sublime Merge, please share your experience below. This helps the team understand how widespread the issue is.
6. Closing note
This post isn’t meant as criticism — Sublime Text and Sublime Merge are exceptional tools. The goal is simply to help ensure they remain accessible and reliable on modern Windows systems. Code signing is a small change with a large impact on user experience, security, and future compatibility.
Thanks for reading, and I hope this helps both users and the SublimeHQ team.