Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows won't correctly download or install or claims virus [needs to be signed] #930

Closed
Jaybonaut opened this issue Nov 14, 2023 · 10 comments
Closed

Windows won't correctly download or install or claims virus [needs to be signed] #930

Jaybonaut opened this issue Nov 14, 2023 · 10 comments
Labels
bug packaging

Comments

@Jaybonaut
Copy link

Operating System Version

Windows 10

OBS Version

N/A

NDI Tools Version

N/A

Describe the bug

Just try to download it to your desktop. It immediately wipes it and you have to download it to a folder that you tell Windows Defender to avoid scanning.

Steps to reproduce

See bug description

Expected behavior

No response

Screenshots

No response

Additional context

No response
@paulpv
Copy link
Member

paulpv commented Nov 14, 2023

@Jaybonaut Yeah, I was afraid of that.

I have 4 PCs, two of them literally identical, but only one of them, one of the twins, reports the download as suspicious.

Grrr.

(FYI: The code is open source for anyone to see that this plugin is not intentionally doing anything bad.)

What I do is go into Windows Virus whatever and add an Exclusion folder:
image

Chrome still lets me download it with an extra step.
image
image

I either move the file into that folder, or directly download the file into that folder.
image

I can then run it.
Windows may still nag that it is an unknown/untrusted app.
image

You can click on "More info" and then "Run anyway".
image

I am working w/ @Palakis and learning from @exeldro to get this signed.

I will keep this bug open as the main bug on this issue until it is fixed.

Thanks for reporting and reminding me.

@paulpv paulpv added packaging and removed triage labels Nov 14, 2023
@Jaybonaut
Copy link
Author

Yeah that's what I mentioned in my post:

"you have to download it to a folder that you tell Windows Defender to avoid scanning."

No problem, I just noticed it wasn't mentioned and thought someone should say something in case. I appreciate all your hard work everyone.

@paulpv paulpv changed the title [Bug]: 4.13 Windows 10 - claims virus, won't correctly download [Bug]: Windows claims virus, won't correctly download or install [needs to be signed] Nov 15, 2023
@paulpv paulpv changed the title [Bug]: Windows claims virus, won't correctly download or install [needs to be signed] Windows won't correctly download or install or claims virus [needs to be signed] Nov 15, 2023
@paulpv
Copy link
Member

paulpv commented Nov 15, 2023

Interesting comment related to signing:
sigstore/fulcio#250 (comment)
Here are your options:

  1. You don't sign your code. You release MyApp-v1.exe. People get smart screen warnings for a while until the reputation on that file increases. You release MyApp-v2.exe. People get warnings again until MyApp-v2.exe builds up enough reputation.
  2. You sign your code with an OV certificate. You release MyApp-v1.exe. People get smart screen warnings for a while until the reputation on that certificate increases. You release MyApp-v2.exe. People don't get warnings because the certificate already has a good reputation. Eventually your certificate expires and it comes time to release MyApp-v47.exe. You renew your certificate, but people still get warnings until the new one builds up reputation.
  3. You sign your code with an EV certificate. People never get warnings.

@Palakis and I looked a bit into sigstore, but per sigstore/fulcio#250 it does not stop Windows from warning:
Per sigstore/fulcio#250 (comment)

you would still have the same UX of having to click through a warning.
That seems pretty useless then for endusers.
sigstore sounds great for a plethora of other signing purposes...just not for end-user installs...which is our use-case. :/

@paulpv
Copy link
Member

paulpv commented Nov 15, 2023

This problem seems to have two layers:

  1. The browser complains about the file before it is downloaded:
    Does the browser itself test the signature? How does it do this? Is it different for each browser?
  2. Windows complains about the file after it is downloaded:
    How to accelerate the Smart Screen allowance?
    https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
    https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/#submit-files-to-microsoft-defender-smartscreen-for-review

@Jaybonaut
Copy link
Author

Yeah I've dealt with unsigned warnings before, this is beyond that: Windows will nuke it before you can even double click it claiming it is a threat. Unless you put 4.13 in an unscanned folder, I can't even get the chance to try to open it.

@paulpv
Copy link
Member

paulpv commented Nov 15, 2023
edited

FYI, I am submitting the following to:
https://www.microsoft.com/en-us/wdsi/filesubmission/?persona=SoftwareDeveloper
image

@paulpv
Copy link
Member

paulpv commented Nov 16, 2023

For personal reference, I can track the submission, and future submissions, at:
https://www.microsoft.com/en-us/wdsi/submissionhistory

@paulpv
Copy link
Member

paulpv commented Nov 16, 2023

w00t!
image

@paulpv
Copy link
Member

paulpv commented Nov 16, 2023

w00t! No warning downloading...
image
...OR EVEN INSTALLING!

@Jaybonaut
Copy link
Author

Congrats, I can confirm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug packaging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulpv @Jaybonaut