search

fastn-stack / fastn

🚧 (Alpha stage software) fastn - better way to build websites 🚧
https://fastn.com
GNU Affero General Public License v3.0
462 stars 36 forks source link

[Task]: Windows False Virus Alert for fastn.exe During Installation #1166

Open Nishantjain10 opened 1 year ago

Nishantjain10 commented 1 year ago

Description

When trying to install the fastn.exe application on Windows, some users are encountering false virus alerts from their antivirus software. This situation could be due to a couple of reasons:

1. Missing Trust Factor

The absence of a proper trust indicator might be causing the antivirus software to flag fastn.exe as potentially harmful. A trust indicator, like a Code Signing Certificate, helps Windows recognize safe software. Without it, the antivirus might mistake the application for a virus.

2. Security Concerns or Bugs

There's a chance that security concerns or bugs within fastn.exe are triggering these alerts. It's possible that some parts of the application look suspicious to the antivirus software, even if they're harmless. This could be due to certain security vulnerabilities or coding issues.

Proposed Solutions

To fix this problem and ensure a smooth installation experience, here's what can be done:

1. Get a Code Signing Certificate

Acquiring a Code Signing Certificate and using it to sign fastn.exe will tell Windows that the application is safe to install. This should help prevent false alarms during installation.

2. Check for Security Problems

Review the code in fastn.exe carefully. If there are any security vulnerabilities or coding mistakes, fixing them will likely stop the antivirus software from raising false alarms.

3. Keep Everything Updated

Regularly update fastn.exe to make sure it's secure and up-to-date. This can also prevent false alarms that might be caused by known issues.

4. Talk to Antivirus Software Makers

Reach out to the companies that make popular antivirus software. Let them know that fastn.exe is not a virus and provide them with information about the Code Signing Certificate and any security measures taken.

5. Help Users Understand

Provide clear instructions to users on what to do if they see a false virus alert. Show them how to add fastn.exe to their antivirus software's safe list or how to report the false alarm.

Environment

Note

This issue could affect how much users trust and use the application. It's important to look into it and find a solution as soon as possible.

amitu commented 1 year ago

@Nishantjain10 need more details on 1, how to get the certificate. And also once we have certificate how to use it in our GitHub Release Action.

Nishantjain10 commented 1 year ago

Sure @amitu,

I'm glad you're looking to get more information on acquiring a Code Signing Certificate and integrating it into our GitHub Release Action. Let's dive into the details:

Acquiring a Code Signing Certificate

Here's how you can obtain one:

  1. Choose a Certificate Authority (CA): Select a reputable Certificate Authority that offers Code Signing Certificates. Popular CAs include DigiCert, Comodo, and GlobalSign.

  2. Generate a Certificate Signing Request (CSR): You'll need to generate a CSR that includes information about your organization and the application. Most CAs provide instructions on how to do this. You might use OpenSSL or other tools to create the CSR.

  3. Submit CSR to CA: Submit the generated CSR to the chosen CA and follow their verification process. This typically involves verifying the organization's identity.

  4. Receive and Install Certificate: Once verified, the CA will provide you with the Code Signing Certificate. Install the certificate on your development machine.

Using the Certificate in GitHub Release Action

To use the Code Signing Certificate in your GitHub Release Action, you'll need to sign your executable during the release process. Here's a general outline of the steps involved:

  1. Store the Certificate Securely: Ensure that your Code Signing Certificate and its private key are stored securely. Do not expose these credentials in your repository.

  2. GitHub Secrets: In your GitHub repository, go to "Settings" > "Secrets" and add the necessary secrets:

    • CODE_SIGNING_CERTIFICATE: The content of your Code Signing Certificate.
    • CODE_SIGNING_PRIVATE_KEY: The private key associated with the certificate.

  3. Update Release Workflow: Modify your GitHub Actions workflow to include the signing step. You'll typically need to add a step that references the secrets and uses a signing tool, like signtool for Windows, to sign the fastn.exe executable.

  4. Sign the Executable: In your workflow, use the signtool command to sign the fastn.exe executable with your Code Signing Certificate. Here's an example:

    
- name: Sign Executable
 run: |
   signtool sign /f ${{ secrets.CODE_SIGNING_CERTIFICATE }} /p ${{ secrets.CODE_SIGNING_PRIVATE_KEY }} /t http://timestamp.digicert.com fastn.exe

Remember that this is a high-level overview, and the actual steps might vary based on your environment and specific tools. Make sure to consult the documentation of the tools you're using for more detailed instructions.

I hope this provides a clearer picture of the process. If you have any further questions or need more specific guidance, please let me know : )

amitu commented 1 year ago

@Nishantjain10 or is it NishantGPT, this is all good and all, I want you to do it. Let me know the step that you can not do and I should (eg go to this URL and purchase the certificate and add it to github environment). Send a PR. Make this happen.

Nishantjain10 commented 1 year ago

@Nishantjain10 or is it NishantGPT, this is all good and all, I want you to do it. Let me know the step that you can not do and I should (eg go to this URL and purchase the certificate and add it to github environment). Send a PR. Make this happen.

On it, Captain! 🛡

harshdoesdev commented 1 year ago

I and @Nishantjain10 will be working on the issue together @amitu