Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows 10 SmartScreen Filter Blocks Installation- Publisher Unknown #10045

Closed
bugnot opened this issue Dec 25, 2018 · 12 comments
Closed

Windows 10 SmartScreen Filter Blocks Installation- Publisher Unknown #10045

bugnot opened this issue Dec 25, 2018 · 12 comments
Labels
OS: Windows Issues specific to Windows

Comments

@bugnot
Copy link

bugnot commented Dec 25, 2018

Please provide the following information

qBittorrent version and Operating System

4.1.5 Windows 10

What is the problem

Windows SmartScreen filter blocks installation of app due to unknown publisher.

What is the expected behavior

Should have a publisher to overcome the issue.

Steps to reproduce

Installation will get blocked on Windows 10

@bugnot
Copy link
Author

bugnot commented Dec 25, 2018

Having a publisher even it seems unnecessary now will help overcoming this issues and many more audience will be able to install it.

@sledgehammer999
Copy link
Member

Just ignore and proceed with the installation

@bugnot
Copy link
Author

bugnot commented Dec 25, 2018

I know. But having this issue is a pain right now since I can not bypass filter on PC as it is not permitted. Why not the dev sign it?

@c0re100
Copy link

c0re100 commented Dec 25, 2018

Well, qBittorrent is a FOSS application
IMO it's meaningless for signing FOSS application.

@Kenya-West
Copy link

Same here, just got 4.1.7 update, downloaded, then Windows SmartScreen says "Pls don't, this is unverified publisher". Ok then.

@sledgehammer999
Copy link
Member

Of course we are unverified. We haven't a bought a MS certificate to sign our installer/binaries.

@engstud89
Copy link

Same here, just got 4.1.7 update, downloaded, then Windows SmartScreen says "Pls don't, this is unverified publisher". Ok then.

Silly question, is 4.1.7 safe? I do not see any updates via the official qbittorrent site for 4.1.7?

@FranciscoPombal FranciscoPombal added the OS: Windows Issues specific to Windows label Feb 19, 2020
@Dannymx
Copy link

Dannymx commented Apr 23, 2020

I have encountered many people who can't install it on Windows because they have a policy or some configuration that doesn't allow unknown publishers. This definitely doesn't help qBittorrent adoption.

@FranciscoPombal
Copy link
Member

I have encountered many people who can't install it on Windows because they have a policy or some configuration that doesn't allow unknown publishers. This definitely doesn't help qBittorrent adoption.

You're more than welcome to buy an M$ certificate for us.

@Dannymx
Copy link

Dannymx commented Apr 23, 2020

I have encountered many people who can't install it on Windows because they have a policy or some configuration that doesn't allow unknown publishers. This definitely doesn't help qBittorrent adoption.

You're more than welcome to buy an M$ certificate for us.

I'm not saying you have to buy it, I'm just stating how some users might look away to other clients because they get stuck at the first step when trying to install this program. Ultimately it's the maintainers decision if they want a bigger user base or not, I don't care, I can also switch clients.

@sledgehammer999
Copy link
Member

Ultimately it's the maintainers decision if they want a bigger user base or not

Thanks for your concern (seriously).
But up until this moment we are an open source project that doesn't have profit as goal. So we kinda don't care about how big our user base is.
Clarification: Of course we care about the user base. But we won't do absolutely everything to maximize it.

@dpetroff
Copy link

I don't really understand the "we're FOSS, we don't need to sign" attitude. You provide an installer, and it requests elevated privileges on launch in Windows (and I assume elsewhere). This creates two problems:

The first problem is that it requests elevation on launch. Elevated privileges are not required to install for only the current user in various not-Program-Files locations on the file system (e.g. in App Data/Local, without putting shortcuts in the public/shared Start Menu/Desktop/etc.). I suppose you have to touch the registry for file/protocol association, but many other installers work just fine without touching it, so they request elevation when the Install button is pressed, and only if the install path was set to something that requires that elevation. I'm sure there is some way to update default programs without requiring elevated privileges, but as you say, you don't do absolutely everything to maximize the user base, and this option is optional in the installer anyway, so you could just drop it and leave it to the user if there is no workaround besides elevated privileges.

The second problem is, in my opinion, the actual not-just-my-personal-preference problem. Installers are signed for the same reason you certify the HTTPS connection to https://www.qbittorrent.org/. Fosshub does not possess some magical infallible security mechanism, neither does any other software distribution platform. Providing an MD5/GPG/whatever digest for manual verification by the user made sense way back when, but today, in 2020, is absolutely the most ridiculous security practice that just won't do the world a favour and die. Just remember what happened with Mint that one time. In the modern world, as soon as you rely on a user to do something reasonable, you've broken your security because you can no longer rely on the assumption that your user is a power user. As we've seen from the Mint incident, even power users do not check the checksum often enough, so that security model was always broken, which is why even Microsoft came to their senses and validates the digital signature on anything that requests elevation right there in the UAC dialog. OSX goes much further and makes it extremely difficult to install any unsigned packages. Debian packages can be signed too, although I'm not very confident that these get any attention at all since the entire Linux ecosystem seems to be stuck in the past with this.

By all means, be a FOSS project and don't provide installers. That's OK. No problem, I won't even complain, I'll just compile from source just like the old days. But if you're going to provide an installer, do the responsible thing and sign it. As far as I know, you don't even have to pay "M$" anything at all because you can have any legitimate WebTrust-certified CA to pass the check in Windows. Nobody is asking you to put qBittorrent on the Microsoft Store. Ironically, on OSX you probably have to actually pay the Apple tax to have it pass their check. Who knows, maybe they're reasonable and I'm as blinkered about Apple as @FranciscoPombal is about "M$". But I think his comment is very telling as to the mentality that creates this problem. Let me guess, you don't pay for any web servers either because you have magical FOSS powers? You got the DST certificate for https://www.qbittorrent.org/ for free, did you? ICANN itself shone godrays and sent cherubim from heaven to bestow upon you the glorious qbittorrent.org domain name at no cost whatsoever out of the goodness of its heart?

Honestly, the responses from the committers to this issue are very tone deaf. Let me show you what I had to go through for the latest version today:

image

image

image

image

image

Followed by the UAC prompt that I can't be bothered to figure out how to capture.

I can also tell you that I've not experienced this level of screening from any other software I've downloaded from fosshub, so there's clearly something considered scary in this installer by the screening heuristic. I've also had issues installing other unsigned software on OSX where you have to disconnect the network or disable certain parts of Gatekeeper entirely for the installation to proceed, so signing the installer can save users a lot of frustration and faff and is far from a Windows-only issue that can be swept under the rug.

@qbittorrent qbittorrent locked and limited conversation to collaborators Feb 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
OS: Windows Issues specific to Windows
Projects
None yet
Development

No branches or pull requests

8 participants