I publish a C# application with Click Once. I'm using a signed certificate got from StartSSL (Class 2 Code Signing).
The ClickOnce application is downloadable through an IIS server hosted on my own: http://my.dyndns.biz:8090\MyAppName
I tested the installation process on the same PC as the one I use to develop the application and my antivirus (Nod32) stop the download because it think the source is dangerous.
How do I avoid the anti-virus to stop the operation (I don't want to disable it)?
P.S. The publisher of the application is not unknown
Thanks
Related
I have what appears to be a valid signed Electron Windows application. I am using Electron Builder to sign the app for Windows with the same Apple .p12 certificate that we use to sign the app for macOS. The Electron Builder website mentions the following:
Code Signing Certificate shows a warning during installation that goes
away once enough users installed your application and you’ve built up
trust.
https://www.electron.build/code-signing#where-to-buy-code-signing-certificate
How long does it take for this trust to build up?
Here is a screenshot showing the certificate details in Windows:
Windows SmartScreen lists the publisher for the app as "Unknown publisher". Is there something I am missing here?
Even though this sounds irresponsible, answer is you never know when your application will earn enough reputation to pass smartscreen filtering. it's not static / fixed time period.
https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/#smartscreen
Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.”
Unless you use EV cert, the only way to accelerate this is to publish your application and meaningful numbers of user download & installs without malicious behavior.
I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.
I code signed the winqual.exe and uploaded to my same server
I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
#echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
I think this is normal behavior.
When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).
You do NOT need this "Windows Application Certification Kit".
What #slappy says is correct:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).
It will most likely say "This download may be dangerous and has been blocked".
Then you can choose "Keep anyways". And then you can choose "Report as Secure".
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".
Install it on your computer! I think that is important.
I have used 5 different computers and reported my apps as secure multiple times and installed it.
I have also asked 2 friends (because of their different IP address) to do the same.
I hate this so much!!!!!!!!!!
After 1 day, the error message was gone.
I am following http://msdn.microsoft.com/en-us/library/ff649647.aspx#Step13 to add Username Authentication in WCF. At the step that I have to create a temporary certificate for SSL, I have the following questions:
The server that the WCF will be deployed on its IIS does not have Visual Studio, therefore I am not sure what I'm supposed to do for the part in link http://msdn.microsoft.com/en-us/library/ff648498.aspx that Step 3: Create and Install Your Temporary Service Certificate by using Visual Studio command prompt.
Also I am using IIS 8, and the steps in Step 13: Configure Security Settings in IIS does not follow smoothly as described in the step by step. If anybody has some experience to configure the Web site in IIS to use Secure Sockets Layer (SSL) encryption and anonymous security, I'd appreciate some pointers.
Ad1)
You can download makecert and put it on the target machine (its just a simple tool no need for full VS) or you can run the command on the different machine it will create and install certificates in the LocalMachine/My store. Then you can export this certificate using mmc tool with certifacate addin and install it on the target machine in the same place (again using mmc). When you are exporting it make sure you have the "include private key" checkbox checked.
Ad2) I dont have access to IIS8 atm but the description on the msdn sounds OK. The only tip i can think of is to make sure you have a port open for HTTPS communication. Its done using httpcfg tool
http://msdn.microsoft.com/pl-pl/library/ms733768(v=vs.110).aspx
We bought an authenticode certificate to sign a xap file on Verisign.com and after the registration completed, we received the certificate.
I installed it on my computer and I can now select it in my Visual Studio solution. The problem is, even after getting no error after the build process, when deploying it, I cannot have any certification client side.
I followed the following article, without success, what could I be missing ?
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2011/04/27/silverlight-5-beta-rough-notes-trusted-apps-in-the-browser.aspx
Thanks for your help.
I've found a solution to my problem.
When launching a Silverlight XAP file in a "In-browser" mode, each client HAS to manually deploy those two things :
1) A key in the registry to allow the In-Browser mode :
For 32 bits System :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight]
"AllowElevatedTrustAppsInBrowser"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight\Components]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight\Components\Debugging]
For 64 bits System :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight]
"AllowElevatedTrustAppsInBrowser"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight\Components]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight\Components\Debugging]
2) Install my certificate into the "TrustedPublisher" store using the utility called "MMC".
Unlike Out-of-browser and install modes, when using the In-browser mode, each client has to perform those steps ! I've initially thought that those steps were automatic and that the client just had to confirm for their installation... That's not the case...
Hope it helps.
i was making an installer for my app its working fine on xp but on vista the UAC is giving problem unless i do a run as administrator the Unexpected error appears when i run my app afters installation, any idea?
i am installing the application in C:\xfolder\x
There is nothing you can do. You MUST run the installer as administrator.
As for the application, you will also need to run it as administrator with elevated priviledges but thre are options to make it ask automatically for elevation via application manifest. You can do a search on stackoverflow.com because there are more post related to this issue.
Here is a link to a post that might help.
Here are a couple more usefull link on app manifest and UAC:
App Manifest (1)
App Manifest (2)
UAC technology.
They are in C# but then again translating to VB.net is like a walk in the park.
You can make a windows service. And put all operations that require elevated rights into that service. You install the service as SYSTEM account and you communicate with the client via .net remoting or any other way for vb6.
if your app exe is an active x exe then you will need to register all the ocx file using regsvr command and then register your exe with regsvr32 command, for an active class to be used in win vista it first must be registered. make a batch to do these registration.