I have made free software and converted it into an NSIS installer. But the issue is that when users download the setup.exe first they get chrome warning not commonly downloaded and it is dangerous file with a keep button hidden under an arrow button.
Even if they choose to keep the file, when opening the installer, the windows SmartScreen shows up warning the users again.
Is there a way can I get past these two for free? I mean I don't charge my users anything.
I only know a way to bypass the download warning. However it is not the prettiest solution, but I am currently using this while researching other possibilities.
My way to bypass the SmartScreen download filter is to bundle your setup.exe into a .zip for instance and then download the zip file instead and then the users can run the setup.exe from within. After some testing and feedback, most of our users don't notice this small extra step.
When they run the setup, you need to have signed the installer using a valid certificate for the Windows warning to go away. Here I have not found any clever ways to avoid this. So you need to pay some certificate authority to create a valid certificate for your software.
Hope this answers your question.
Related
I am new to python. I managed to write my code for logging versions and generated executable using cx_freeze. It is working fine in my machine, but when I take it to other machines, I'm getting Windows smart screen error.
Any idea how to get rid of this?
Quick help required.
Thanks in advance.enter image description here
That is how SmartScreen works, it blocks "unpopular" executables. Depending on the system configuration the user might be able to click on "More Info" and run it anyway.
If enough people download and run your .exe then the SmartScreen block will go away. Microsoft does not specify how many downloads are required in their FAQ:
When you download a program from the Internet, SmartScreen Filter will check the program against a list of programs that are downloaded by a significant number of other Internet Explorer users and a list of programs that are known to be unsafe. If the program you're downloading isn't on either list, SmartScreen Filter will display a warning that the file isn't "commonly downloaded."
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates:
Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.
...
Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher.
Removing the "Mark of the Web" by unblocking it in the files properties should also prevent the SmartScreen message.
I've created a setup.exe file and loaded it onto my web site for downloading. The .exe file has been code signed with a certificate from godaddy. When downloading the .exe file from my website using win7 it detects the certificate and displays it to be a safe download. On win10 the .exe file downloads fine but when opening the .exe the smartscreen blocks it from opening. I have many users using win10 and don't want to explain to them to turn off smartscreen. What are my options to get this .exe past win10 smarscreen?
The Windows SmartScreen alert will go away after enough people download and run it. If your software is not that popular then the warning will never go away and there is not much you can do about it. You can try to get yourself whitelisted but I would not hold my breath while waiting for that. Microsoft does not document what enough downloads is.
SmartScreen checks files that you download from the web against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen will warn you that the download has been blocked for your safety. SmartScreen also checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you're downloading isn't on that list, SmartScreen will warn you.
Signing will help you bypass smartscreen on updates you release in the future but it will not let you bypass the initial warning:
Downloads are assigned a reputation rating based on many criteria, such as download traffic, download history, past antivirus results and URL reputation. Reputation is generated and assigned to digital certificates as well as specific files.
According to this answer, passing and uploading the results from the Windows App Certification Kit tests will build reputation faster (requires a SysDev account).
See also:
SmartScreen® Application Reputation in IE9
SmartScreen® Application Reputation – Building Reputation
Introducing SmartScreen® Application Reputation
Here is my dilemma, I am trying to perform Application Whitelisting based off of publisher which in turn is based on whether or not the application has been signed. The issue is, unsigned software does not have a publisher listed. My idea was to then vet unsigned software and if approved for use we could sign it with our internal code signing certificate. I tested this process out using Microsoft`s signtool and it seemed to work but here is the issue. When I tested it out I did it on an installer.exe, after that I installed the application in which it then created a file in Program files with the other installed .exes that came with it. When I check on the signature of the .exes that were installed in the Program Files it says that they are unsigned! I know i could go and run the same command on those to sign them but that is not feasible if we were to deploy this to numerous end systems. My question is: Is there a way to sign the installer to which when installing it, the .exes that are installed will also be signed by our internal certificate? Or is there a way to install the application and sign the necessary files and then repackage it for deployment? Sorry for the long question but I cant think of a way to get this done and I figure since Application Whitelisting is hot right now someone must have had a similar issue. Also, I know that we can use Path or Hash but that is not what I am trying to do here.
Thanks
First of all, I don't recommend signing vendor code with your corporate signature. I'm not sure if you are doing that or not but if you are, I'd suggest being careful. Unless you know exactly what's in the code, signing someone else's code is just not a good idea.
You are correct that the exes from the installer are unsigned; that's how the process works. When you sign an executable, you are only signing that exe and not the content of the cab file it extracts and lays down.
I use McAfee Application Control with signed installers, and that works out well. I trust my company's signature as an updater (allows it to change files), and it installs the software as desired without signing each executable.
So, let's go through the questions (sorry if this is long).
Is there a way to sign the installer and sign its subordinate exes? Not that I know of. Files are signed individually. You could probably automate that somehow; that's for a different thread. I'm no expert on signatures but in my experience when I've signed an installer that hasn't recursed into the installed content.
is there a way to install the application and sign the necessary files and then repackage it for deployment? Technically possible. Keep in mind that if you repackage a vendor install, you lose support on the install. There are several snapshotting tools out there that would do a delta on what was installed and would let you gather that info and then sign the files. That's an application packaging question on how to create the install from a snapshot.
I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.
I code signed the winqual.exe and uploaded to my same server
I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
#echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
I think this is normal behavior.
When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).
You do NOT need this "Windows Application Certification Kit".
What #slappy says is correct:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).
It will most likely say "This download may be dangerous and has been blocked".
Then you can choose "Keep anyways". And then you can choose "Report as Secure".
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".
Install it on your computer! I think that is important.
I have used 5 different computers and reported my apps as secure multiple times and installed it.
I have also asked 2 friends (because of their different IP address) to do the same.
I hate this so much!!!!!!!!!!
After 1 day, the error message was gone.
I've created an installer .exe for my app and made it available for download. When users download it they end up getting a message from Windows about the "publisher not verified". I'd like to see what is required to get rid of this.
I found articles indicating that different system settings would avoid it, however, I don't want to require users to change any settings. I'd rather see what I need to do on my end to avoid them from seeing the message in the first place.
I'm sure the answer has something to do with code signing, however, in order to sign my code doesn't that also mean I have to be Windows logo-certified? Not sure I want to go through that. Or is that a separate thing? Is there a way to sign it without being logo-certified?
"Logo-certified" involves obtaining a code signing certificate, but in your case no logo-certification is needed. You just purchase a code-signing certificate from one of certificate authorities (no, self-signed certificate won't work) and that's it.