[HN Gopher] Why does my installer get flagged by Windows? ___________________________________________________________________ Why does my installer get flagged by Windows? Author : grwtr Score : 35 points Date : 2021-07-01 20:30 UTC (2 hours ago) (HTM) web link (blog.pakkly.com) (TXT) w3m dump (blog.pakkly.com) | mgiannelis wrote: | You can find the answers to these types of technology related | questions on websites such as https://www.techbusinessnews.com.au | codeflo wrote: | And that's before Windows Defender falsely identifies your | executable as a random threat and moves it to quarantine without | asking. Who do you have to bribe to prevent that? | viraptor wrote: | It's really annoying we don't have a better solution for this. | Even outside of open source, I don't want to spend over $600 up | front before I sell a single copy of an app just to stop MS from | blocking it. And that's not even mentioning companies like | sectigo being terrible at their job. I've spent over a week going | in circles with their support about verification: "your license | shows address A", "no, the back shows the current address B, it's | in the file I sent", "please send us a valid ID with address B", | (repeat). | | But unfortunately that's just a rant. I don't know if there even | if a better solution. The money barrier (rather than | verification) will stop some opportunistic malware, but big | players won't care. | mjevans wrote: | Why doesn't Windows (Microsoft) build open source code | themselves and sign the source seen, easier to inspect for bad | things version? | viraptor wrote: | It's not easy to spot malware, even if you have the source. | For example Zoom can capture your screen, start applications, | capture mic and camera, and allows remote control of your | desktop. Why wouldn't it be blocked as malware even if you | could automatically inspect the source? | sixothree wrote: | Regular code signing cert is often good enough. | jhurliman wrote: | Even for our company, we would fork over the $600 but it looks | like all of the EV cert options require a hardware signing key. | Putting a human in the loop for our otherwise fully automated | release process is a non-starter. | maille wrote: | You can automate code signing using Microsoft azure key | vault. I did it last month, no need for a dongle nor a pin | number | viraptor wrote: | Sounds like the hardware key requires a pin, but not physical | presence (i.e. not a button touch), so it can be automated | https://stackoverflow.com/questions/17927895/automate- | extend... | inspector-g wrote: | One of my clients has strict requirements for an automated | build process, and we managed to use an EV code signing | cert on a YubiKey w/ PIN - so it's definitely possible with | a little leg work. | | After having gone through it, I agree with other posts that | the main annoyance is the verification process and weeks of | delays/back-and-forth. That, and the inconvenience of now | having a single point of failure in the build process | (unless multiple certs are purchased). | traceroute66 wrote: | > Putting a human in the loop for our otherwise fully | automated release process is a non-starter. | | I don't follow. | | The purpose of storing keys in hardware is to irreversibly | protect the key. | | If you then wish to be silly and hardcode the PIN to the | hardware in your release scripts, then that is your | prerogative. | | If its the cost of an HSM you're alluding to, even that is a | non-issue with a Yubikey or Nitrokey. | jrkfkgmfmr wrote: | LPT: put your executable binary on GitHub/GitLab/SourceForge/... | These locations are whitelisted since they have a ton of fresh | binaries. | | Malware writers use this trick to bypass SmartScreen. Chrome's | equivalent protection also whitelists GitHub/... | stordoff wrote: | Not sure this works. Just grabbed a build of WhyNotWin11[1] | released 20 hours ago, and I get "Microsoft Defender | SmartScreen prevented an unrecognised app from starting. | Running this app might put your PC at risk." | | [1] https://github.com/rcmaehl/WhyNotWin11 (used for test as I | thought I remembered seeing this with a build from earlier this | week) | laurent123456 wrote: | I don't think that works, as I had an app hosted on GitHub, a | signed one actually, and it was still showing the SmartScreen | warning at first. It took a few days to go away. | ronsor wrote: | Well that's actually pretty concerning, and it only shows how | broken these "security" "features" really are. ___________________________________________________________________ (page generated 2021-07-01 23:00 UTC)