Windows 10 SmartScreen Filter Blocks Installation- Publisher Unknown

[bugnot]

Please provide the following information

qBittorrent version and Operating System

4.1.5 Windows 10

What is the problem

Windows SmartScreen filter blocks installation of app due to unknown publisher.

What is the expected behavior

Should have a publisher to overcome the issue.

Steps to reproduce

Installation will get blocked on Windows 10

[bugnot]

Having a publisher even it seems unnecessary now will help overcoming this issues and many more audience will be able to install it.

[sledgehammer999]

Just ignore and proceed with the installation

[bugnot]

I know. But having this issue is a pain right now since I can not bypass filter on PC as it is not permitted. Why not the dev sign it?

[c0re100]

Well, qBittorrent is a FOSS application
IMO it's meaningless for signing FOSS application.

[Kenya-West]

Same here, just got 4.1.7 update, downloaded, then Windows SmartScreen says "Pls don't, this is unverified publisher". Ok then.

[sledgehammer999]

Of course we are unverified. We haven't a bought a MS certificate to sign our installer/binaries.

[engstud89]

Same here, just got 4.1.7 update, downloaded, then Windows SmartScreen says "Pls don't, this is unverified publisher". Ok then.

Silly question, is 4.1.7 safe? I do not see any updates via the official qbittorrent site for 4.1.7?

[Dannymx]

I have encountered many people who can't install it on Windows because they have a policy or some configuration that doesn't allow unknown publishers. This definitely doesn't help qBittorrent adoption.

[FranciscoPombal]

I have encountered many people who can't install it on Windows because they have a policy or some configuration that doesn't allow unknown publishers. This definitely doesn't help qBittorrent adoption.

You're more than welcome to buy an M$ certificate for us.

[Dannymx]

I have encountered many people who can't install it on Windows because they have a policy or some configuration that doesn't allow unknown publishers. This definitely doesn't help qBittorrent adoption.

You're more than welcome to buy an M$ certificate for us.

I'm not saying you have to buy it, I'm just stating how some users might look away to other clients because they get stuck at the first step when trying to install this program. Ultimately it's the maintainers decision if they want a bigger user base or not, I don't care, I can also switch clients.

[sledgehammer999]

Ultimately it's the maintainers decision if they want a bigger user base or not

Thanks for your concern (seriously).
But up until this moment we are an open source project that doesn't have profit as goal. So we kinda don't care about how big our user base is.
Clarification: Of course we care about the user base. But we won't do absolutely everything to maximize it.

[dpetroff]

I don't really understand the "we're FOSS, we don't need to sign" attitude. You provide an installer, and it requests elevated privileges on launch in Windows (and I assume elsewhere). This creates two problems:

The first problem is that it requests elevation on launch. Elevated privileges are not required to install for only the current user in various not-Program-Files locations on the file system (e.g. in App Data/Local, without putting shortcuts in the public/shared Start Menu/Desktop/etc.). I suppose you have to touch the registry for file/protocol association, but many other installers work just fine without touching it, so they request elevation when the Install button is pressed, and only if the install path was set to something that requires that elevation. I'm sure there is some way to update default programs without requiring elevated privileges, but as you say, you don't do absolutely everything to maximize the user base, and this option is optional in the installer anyway, so you could just drop it and leave it to the user if there is no workaround besides elevated privileges.

The second problem is, in my opinion, the actual not-just-my-personal-preference problem. Installers are signed for the same reason you certify the HTTPS connection to https://www.qbittorrent.org/. Fosshub does not possess some magical infallible security mechanism, neither does any other software distribution platform. Providing an MD5/GPG/whatever digest for manual verification by the user made sense way back when, but today, in 2020, is absolutely the most ridiculous security practice that just won't do the world a favour and die. Just remember what happened with Mint that one time. In the modern world, as soon as you rely on a user to do something reasonable, you've broken your security because you can no longer rely on the assumption that your user is a power user. As we've seen from the Mint incident, even power users do not check the checksum often enough, so that security model was always broken, which is why even Microsoft came to their senses and validates the digital signature on anything that requests elevation right there in the UAC dialog. OSX goes much further and makes it extremely difficult to install any unsigned packages. Debian packages can be signed too, although I'm not very confident that these get any attention at all since the entire Linux ecosystem seems to be stuck in the past with this.

By all means, be a FOSS project and don't provide installers. That's OK. No problem, I won't even complain, I'll just compile from source just like the old days. But if you're going to provide an installer, do the responsible thing and sign it. As far as I know, you don't even have to pay "M$" anything at all because you can have any legitimate WebTrust-certified CA to pass the check in Windows. Nobody is asking you to put qBittorrent on the Microsoft Store. Ironically, on OSX you probably have to actually pay the Apple tax to have it pass their check. Who knows, maybe they're reasonable and I'm as blinkered about Apple as @FranciscoPombal is about "M$". But I think his comment is very telling as to the mentality that creates this problem. Let me guess, you don't pay for any web servers either because you have magical FOSS powers? You got the DST certificate for https://www.qbittorrent.org/ for free, did you? ICANN itself shone godrays and sent cherubim from heaven to bestow upon you the glorious qbittorrent.org domain name at no cost whatsoever out of the goodness of its heart?

Honestly, the responses from the committers to this issue are very tone deaf. Let me show you what I had to go through for the latest version today:

Followed by the UAC prompt that I can't be bothered to figure out how to capture.

I can also tell you that I've not experienced this level of screening from any other software I've downloaded from fosshub, so there's clearly something considered scary in this installer by the screening heuristic. I've also had issues installing other unsigned software on OSX where you have to disconnect the network or disable certain parts of Gatekeeper entirely for the installation to proceed, so signing the installer can save users a lot of frustration and faff and is far from a Windows-only issue that can be swept under the rug.