Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warnings a2_installer.exe might be dangerous #186

Closed
sirtet opened this issue May 8, 2019 · 6 comments
Closed

Warnings a2_installer.exe might be dangerous #186

sirtet opened this issue May 8, 2019 · 6 comments
Assignees
@ewerybody
Labels
backlog package task

Comments

@sirtet
Copy link

sirtet commented May 8, 2019

Just downloaded the pre release 0.0.5 installer,
and chrome gives a warning about the file being suspicious, potentially dangerous.
Maybe something can be done to mitigate this false accusation?
2019-05-08 19_19_44-Posteingang - info@kanuschule ch - Outlook
@ewerybody
Copy link
Owner

Yeah I finally managed to have basic Versioning and Details on the installer executable and the commits have the Verified label next to the releases due to GPG. But the executable itself is not "Windows"-signed yet.
It will also pop a Windows warning where it says "Unknown publisher" although everything is set in the Details... :/

I actually just moved away from Windows SDK for the versioning and manifest setting to rcedit.
But might be the answer to proper signing is still in there! Signtool?
This would probably catch both problems (that is Chrome and Windows complaining).

  • build installer with manifest that keeps from asking for elevation (no admin rights needed)
  • added our own details to installer executable
  • update versioning on installer executable build
  • ahk executables compression deactivated (vastly lowered the amount of antiviruses complaining)
  • have commits GPG signed so releases appear as Verified on github.
  • Have the installer executable signed with Windows SDK (fixes Chrome and Windows complaining?)

@ewerybody ewerybody self-assigned this May 9, 2019
@ewerybody ewerybody added this to To do in first release via automation May 9, 2019
@ewerybody
Copy link
Owner

But yes: We need to solve this before we go public.

@ewerybody
Copy link
Owner

ewerybody commented May 9, 2019
edited

In Autohotkey itself they also seem to do it with a Certum certificate:
https://github.com/Lexikos/AutoHotkey-Release/search?q=sign&type=Commits or:
https://github.com/Lexikos/AutoHotkey-Release/blob/master/installer/tools/UPDATE.bat#L50

https://en.sklep.certum.pl/data-safety/code-signing-certificates/open-source-code-signing-1022.html

@ewerybody
Copy link
Owner

here is Lexicos post about signing the installer executable:
https://www.autohotkey.com/boards/viewtopic.php?p=270699#p270699

dang this opens a can of worms :/

@ewerybody ewerybody changed the title Chrome warning a2_installer might be dangerous Warnings a2_installer.exe might be dangerous May 9, 2019
@ewerybody ewerybody mentioned this issue Jun 28, 2020
Closed
@ewerybody ewerybody removed this from To do in first release Jul 2, 2020
@ewerybody
Copy link
Owner

I'll move this to the backlog for now.
Things WILL be the same until this is moved to the a2script org.
Then I might buy a certificate thing and all that. Not before.
I'm sorry. Currently I see this as WAY too much for a hobby project 😐

@ewerybody
Copy link
Owner

whow I just found this: https://www.microsoft.com/en-us/wdsi/filesubmission

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ewerybody ewerybody

Labels
backlog package task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ewerybody @sirtet