PDA

View Full Version : Windows 10 does not like installer



NewsArchive
07-08-2016, 01:50 AM
Windows 10 site worries the users:

Windows protected your PC
Windows SmartScreen prevented an unrecognized app from starting. Running
this app might put
your PC at risk.

App: app_installer.exe
Publisher: Unknown Publisher

Is the problem with the SB installer or my app?

Sim

NewsArchive
07-08-2016, 01:51 AM
If it says "unknown publisher" that sounds as if your installer is not
code-signed?

jf

NewsArchive
07-08-2016, 01:51 AM
The app itself IS code-signed.
How do I code-sign the installer?

Sim

NewsArchive
07-08-2016, 01:51 AM
Project Menu --> Settings --> Digital Signature Tab.

You might need to scroll the tabs in the sheet to get there.

OR

Click on the "General Information" tree item and find the digital
signature thing on the right side.

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-08-2016, 01:52 AM
Watch the #3 video at this link: http://www.beachbunnysoftware.com/SBVideo/

Jane Fleming

NewsArchive
07-08-2016, 01:52 AM
Hi Sim,

> The app itself IS code-signed.
> How do I code-sign the installer?

http://screencast.com/t/9p6bupxYSSjY

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-08-2016, 01:10 PM
Sim,

> Is the problem with the SB installer or my app?

What Jane, Jeff and Arnor said. Please note that you need a valid SHA-2
signature (SHA-1 is not enough because Microsoft depreciated it on January
01, 2016) on Windows 10, Windows 8.x, etc.. You should dual code-sign your
installer to provide backward compatibility to older Windows operating
systems.

Friedrich

NewsArchive
07-08-2016, 01:10 PM
Ah! That's probably it. SHA-1 vs SHA-2.
Thanks Friedrich.

Sim

NewsArchive
07-26-2016, 01:45 PM
Hi Friedrich

More worriing are the reputation thing. I have everything SHA-1 + SHA-2
signed, and yet my customers have to 'run anyway'. Do you have any idea how
many downloads it needs to get a solid reputation ?
Very strange: I know a programmer (clarion) who make an installer (
setup.exe ) and install to c:\myownpath . No signing at all. Gives no nag
screen, no 'Run anyway'. just a pure install. Even on Win 10. How can this
be possible ?

Med venlig hilsen
Viggo Poulsen
Vipilon

NewsArchive
07-26-2016, 01:45 PM
Hi Viggo,

> More worriing are the reputation thing. I have everything SHA-1 + SHA-2
> signed, and yet my customers have to 'run anyway'. Do you have any idea
> how many downloads it needs to get a solid reputation ?
> Very strange: I know a programmer (clarion) who make an installer (
> setup.exe ) and install to c:\myownpath . No signing at all. Gives no nag
> screen, no 'Run anyway'. just a pure install. Even on Win 10. How can this
> be possible ?

It has nothing to do with install. The download is the critical part here.
For code signing certificates, Windows stopped accepting SHA-1 signed code
and SHA-1 certificates that are time stamped after 1 January 2016 and have a
"Mark of the Web" attribute. A "Mark of the Web" attribute means that the
executable is flagged as downloaded from an untrusted source (e.g. the
Internet). Code signature status behavior might depend on specific Policy
settings and Trusted Zones, and SmartScreen data may be used to allow
certificates with good reputation. Download your friend's "unsigned"
install from the Web and try to start it on Windows 10 or Windows 8.1 and
you'll see what I mean ;-)

BTW, then there is the "User Access Control: Only elevate executables that
are signed and validated" Group Policy. A user with a high level of
security should have this policy ENABLED (and most large corporation have).
If this policy is enabled, the unsigned, tampered, hacked, or incomplete
application does not even start.

Friedrich

NewsArchive
07-26-2016, 01:46 PM
I just bought a new machine (Precision Workstation m7710) and needed
to install a bunch of software. Windows 10 "protected my computer"
from all of those setups and they all had Unknown Publisher.

Had to sell my soul to the devil with each setup. <g>

btw, IMO, the keyboard on the m7710 is going to take a lot of getting
used to. SHARING the 7 key with HOME? or having to use Fn + Arrow for
home seems whacked. Other than that, it's a sweet machine. I resisted
the urge to pimp it out, though. :)

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-26-2016, 02:01 PM
Hi Jeff,

> I just bought a new machine (Precision Workstation m7710) and needed
> to install a bunch of software. Windows 10 "protected my computer"
> from all of those setups and they all had Unknown Publisher.
>
> Had to sell my soul to the devil with each setup. <g>

I've been rebuilding a laptop and it's been rather frustrating to
download installs and have a bunch of them be "protected" I don't
really understand what this is supposed to protect. It confuses people
who think that completely legitimate installs are somehow dangerous. I
call it a heap of bovine manure;)

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-26-2016, 02:02 PM
Ya

> I
>call it a heap of bovine manure;)

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-26-2016, 02:03 PM
> I've been rebuilding a laptop and it's been rather frustrating to download
> installs and have a bunch of them be "protected" I don't really
> understand what this is supposed to protect. It confuses people who think
> that completely legitimate installs are somehow dangerous. I call it a
> heap of bovine manure;)

What concerns me more is that "they" did not update the installs to SHA-2,
especially for Windows 10. Microsoft told the world again and again (for
several years) that SHA-1 would be disabled on January 01, 2016. But even
large companies like Dell simply did not listen <g>.

Because the old SHA-1 based certificates are invalid, Windows and an
increasing number of protection systems do not accept the SHA-1 signature
and "block" the files. SHA-1 only signed files will result in a support
nightmare for software vendors very soon. As far as I know, it is already a
nightmare for Dell and Lenovo.

Friedrich

NewsArchive
07-26-2016, 02:04 PM
Then there are people like "NextGen" who write the enterprise software our
chain of medical centers use.

Who are still in an early-XP mentality.

They have a configuration file in c:\windows.

When we have certain issues with people creating documents, their tech
support tells us just to give Full Control to Everyone for the installation
folder.

Their installers are all unsigned - "unknown publisher do you wanna run?"

I guess when you charge tens of thousands of dollars per month just for
ongoing support, you don't gotta follow no rules.....

Oy...

Jane Fleming

NewsArchive
07-26-2016, 02:05 PM
Hi Jane

I'm not sure what it takes to frighten the customers. Earlier the warning
"unknown publisher do you wanna run?" was enough to make me sign my exe and
installs (with SB, naturally). But today my signed install and exe need
reputation, so the customers are met with ' Signature are damaged or
illegal' after whitch you have to click 'show downloads', rightclick the
install file, select 'run anyway'. After this windows smartscreen pops up
and you have to navigate through this too. I'm sure i loose furure customers
on this.
My point is: How long does it take to gain reputation (how many clicks) ? If
it takes too long i'll reconsider going with "unknown publisher do you wanna
run?" instead.

Sorry for this discussion in the Setupbuilder group, as this is a MS problem
and absolutely not a SB problem.

Best regards
Viggo Poulsen

NewsArchive
07-26-2016, 02:06 PM
Maybe MS will create an app with a Tinder type of Paradigm.

https://www.youtube.com/watch?v=Qgnxb-O-CBQ

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-26-2016, 02:09 PM
Hi Friedrich,

> What concerns me more is that "they" did not update the installs to SHA-2,
> especially for Windows 10. Microsoft told the world again and again (for

Well, some of the installs that were "protected" were my own SHA-2
signed installs! That didn't seem to help much;) But they ARE dual
code signed...

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-26-2016, 02:09 PM
Maybe it's a reputation thing?

Have you been a good boy?<g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-26-2016, 02:10 PM
Jeff,

> Have you been a good boy?<g>

Damn it, Jeff. You made SodaStream diet cola come out my nose!

Lee White

NewsArchive
07-26-2016, 02:10 PM
> Damn it, Jeff. You made SodaStream diet cola come out my nose!

That's another reason why I drink water these days instead of soda. It is
less painful<g>.


:-)

Charles


--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.solidsoftware.de - ImageEx and RichReport templates!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

NewsArchive
07-26-2016, 02:11 PM
Hi Jeff,

> Maybe it's a reputation thing?

I'm sure, but how do you create reputation? I recall Friedrich had
issues with this sometime not so long ago. I believe if you get a new
certificate it's all reset to zero.

> Have you been a good boy?<g>

NO!<g> Never been known for that;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-26-2016, 02:11 PM
Arnor,

> I'm sure, but how do you create reputation?

If I recall you create a signed install that does nothing and ask
everyone to download it and run it... I think!<g>

Such as...
<http://www.cwaddons.com/installs/rep.exe>

SB script...
<http://www.cwaddons.com/installs/rep.zip>

This does nothing except open a message box that says thank you!

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
07-26-2016, 02:12 PM
Hi Lee,

>> I'm sure, but how do you create reputation?
>
> If I recall you create a signed install that does nothing and ask
> everyone to download it and run it... I think!<g>

Wouldn't that just the same trigger a "protection" reaction from the
browser?

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-26-2016, 02:15 PM
Does this thread help any?

From: "Friedrich Linder" <friedrich@lindersoft.com>
Newsgroups: Subject: Need Help - SetupBuilder 10 certificate
reputation (screenshots attached)
Date: 15 Sep 2015 04:17:20 -0400

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-26-2016, 02:16 PM
Hi Jeff,

> Does this thread help any?
....
>> Wouldn't that just the same trigger a "protection" reaction from the
>> browser?

I'm not sure. I can't see that it's mentioned. My point is:

If you need 1000 people (or however many) to download and accept your
download as "safe" to gain reputation so that other users don't get
warnings about the download being in some way unsafe, then how can a
beginner gain trust? Note that this happens EVERY time you buy or renew
a code signing certificate. To me it's a catch-22. You need reputation
so people will download and to gain reputation people have to download.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-26-2016, 02:17 PM
Yes, and when you have gained reputation for Internet Explorer, you also
have to gain reputation for Crome and for Migrosoft Edge etc. This is bad
for business.

Best regards
Viggo Poulsen

NewsArchive
07-26-2016, 02:19 PM
Arnor,

> Wouldn't that just the same trigger a "protection" reaction from the
> browser?

Yep, that's the point.

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://archive.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"

NewsArchive
07-26-2016, 02:19 PM
Hi Lee,

>> Wouldn't that just the same trigger a "protection" reaction from the
>> browser?
>
> Yep, that's the point.

So to get users to download securely you need to get users to download
insecurely... Repeat x times every y years... Yeah, no security risks
there!!!

Me thinks internet "security" has turned into one of the biggest money
making scams in history - and there have been some big ones out there;)
but that's just me<g>

As an example I have completely stopped downloading anything from the
big download sites, like download.com, etc. Their installers are often
full of junk and I have so many times got hit with
malware/spyware/virus/whatever problems with them. ALL of it "secure"
of course, codesigned high and low and I'm sure with perfect
reputation. Grrrrr<g>

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
07-26-2016, 02:20 PM
Arnor,

> Grrrrr<g>

Excellent summation!

Lee White

NewsArchive
07-26-2016, 02:21 PM
Protection rackets are nothing new. Haven't you watched the Godfather
movie series enough times yet? <g>

Jeff Slarve
www.jssoftware.com
Twitter free since Jan 11, 2016
I'll search help files & Google for you.

Grammar troll's, are the worse.

NewsArchive
07-26-2016, 02:35 PM
Hi Lee,

>> Grrrrr<g>
>
> Excellent summation!

<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

NewsArchive
08-22-2016, 11:55 AM
> I just bought a new machine (Precision Workstation m7710)

Ordered mine four days ago :-) Status changed to "in production" this
morning. The new Precision Workstation m7710 will replace
my old m6600 main development machine (which does still work fast and
without any problem, but I need 64GB RAM to run more VMs simultaneously).

Friedrich

NewsArchive
08-22-2016, 11:56 AM
I'll post a detailed m7710 review soon...

Friedrich