[HN Gopher] Why does my installer get flagged by Windows?
___________________________________________________________________
Why does my installer get flagged by Windows?
Author : grwtr
Score : 35 points
Date : 2021-07-01 20:30 UTC (2 hours ago)
(HTM) web link (blog.pakkly.com)
(TXT) w3m dump (blog.pakkly.com)
| mgiannelis wrote:
| You can find the answers to these types of technology related
| questions on websites such as https://www.techbusinessnews.com.au
| codeflo wrote:
| And that's before Windows Defender falsely identifies your
| executable as a random threat and moves it to quarantine without
| asking. Who do you have to bribe to prevent that?
| viraptor wrote:
| It's really annoying we don't have a better solution for this.
| Even outside of open source, I don't want to spend over $600 up
| front before I sell a single copy of an app just to stop MS from
| blocking it. And that's not even mentioning companies like
| sectigo being terrible at their job. I've spent over a week going
| in circles with their support about verification: "your license
| shows address A", "no, the back shows the current address B, it's
| in the file I sent", "please send us a valid ID with address B",
| (repeat).
|
| But unfortunately that's just a rant. I don't know if there even
| if a better solution. The money barrier (rather than
| verification) will stop some opportunistic malware, but big
| players won't care.
| mjevans wrote:
| Why doesn't Windows (Microsoft) build open source code
| themselves and sign the source seen, easier to inspect for bad
| things version?
| viraptor wrote:
| It's not easy to spot malware, even if you have the source.
| For example Zoom can capture your screen, start applications,
| capture mic and camera, and allows remote control of your
| desktop. Why wouldn't it be blocked as malware even if you
| could automatically inspect the source?
| sixothree wrote:
| Regular code signing cert is often good enough.
| jhurliman wrote:
| Even for our company, we would fork over the $600 but it looks
| like all of the EV cert options require a hardware signing key.
| Putting a human in the loop for our otherwise fully automated
| release process is a non-starter.
| maille wrote:
| You can automate code signing using Microsoft azure key
| vault. I did it last month, no need for a dongle nor a pin
| number
| viraptor wrote:
| Sounds like the hardware key requires a pin, but not physical
| presence (i.e. not a button touch), so it can be automated
| https://stackoverflow.com/questions/17927895/automate-
| extend...
| inspector-g wrote:
| One of my clients has strict requirements for an automated
| build process, and we managed to use an EV code signing
| cert on a YubiKey w/ PIN - so it's definitely possible with
| a little leg work.
|
| After having gone through it, I agree with other posts that
| the main annoyance is the verification process and weeks of
| delays/back-and-forth. That, and the inconvenience of now
| having a single point of failure in the build process
| (unless multiple certs are purchased).
| traceroute66 wrote:
| > Putting a human in the loop for our otherwise fully
| automated release process is a non-starter.
|
| I don't follow.
|
| The purpose of storing keys in hardware is to irreversibly
| protect the key.
|
| If you then wish to be silly and hardcode the PIN to the
| hardware in your release scripts, then that is your
| prerogative.
|
| If its the cost of an HSM you're alluding to, even that is a
| non-issue with a Yubikey or Nitrokey.
| jrkfkgmfmr wrote:
| LPT: put your executable binary on GitHub/GitLab/SourceForge/...
| These locations are whitelisted since they have a ton of fresh
| binaries.
|
| Malware writers use this trick to bypass SmartScreen. Chrome's
| equivalent protection also whitelists GitHub/...
| stordoff wrote:
| Not sure this works. Just grabbed a build of WhyNotWin11[1]
| released 20 hours ago, and I get "Microsoft Defender
| SmartScreen prevented an unrecognised app from starting.
| Running this app might put your PC at risk."
|
| [1] https://github.com/rcmaehl/WhyNotWin11 (used for test as I
| thought I remembered seeing this with a build from earlier this
| week)
| laurent123456 wrote:
| I don't think that works, as I had an app hosted on GitHub, a
| signed one actually, and it was still showing the SmartScreen
| warning at first. It took a few days to go away.
| ronsor wrote:
| Well that's actually pretty concerning, and it only shows how
| broken these "security" "features" really are.
___________________________________________________________________
(page generated 2021-07-01 23:00 UTC)