Windows SmartScreen preventing installer from Running

[paperclip]

"Windows protected your PC" "Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk." App: wsltty-0.7.5-install.exe Publisher: Unknown publisher

Installer downloaded from github. Maybe false-positives would be reduced by signing and setting publisher? Also if you could publish the SHA256 of the installer it would be easier to verify it?

[paperclip]

Image of the alert:

[mintty]

After #31 and #28, this is getting really weird. The installer was created with a Microsoft tool, so if they don't recognize their own stuff, I can't help it. Therefore marking 'invalid'. Also, I don't feel the ambition to dig into the fiddly details of signing and all that stuff. If someone tells me how to do it, I'll do it.

[spgennard]

Have a read of the wiki on the subject, you have two solutions:

• This can be fixed by the author digitally signing the distributed software.
• A common distribution method for authors to bypass SmartScreen warnings is to pack their installation program (for example Setup.exe) into a ZIP-archive and distribute it that way

[mintty]

• A common distribution method for authors to bypass SmartScreen warnings is to pack their installation program (for example Setup.exe) into a ZIP-archive and distribute it that way

Did you try this with wsltty? Even if it does, I guess zip archives are not really common for installation in the Windows world, especially as they depend on further tools being installed to work.

• This can be fixed by the author digitally signing the distributed software.

Sure, see my previous comment.

[mintty]

Added note on project page. Is this sufficient to close the issue?

[paperclip]

Sure, I don't know much about signing Windows executables, so I can't really help. I'd like it if you published sha512 checksums of the executables, to reduce the risk of alteration in transit, but I don't want to give you extra work.

[mintty]

I don't want to give you extra work.

Thanks, you understood my previous comments well. I don't see how sha checksums should help with the original use case (the warning), they only make the ordinary user even more confused, by my experience. Signing sounds better, so as I said, if anyone would provide a short how-to...

[willpower232]

I just encountered this for 0.7.6 and did not get a "run anyway" option.

I resolved it by viewing the properties and selecting "unblock".

[mintty]

Thanks for the info; can you describe this more clearly so I can add a note to the project page? I suppose properties of the installer, but I'm not aware of a standard "unblock" item.

[willpower232]

I right clicked the installer to get to the properties and checked the unblock text box and pressed OK and suddenly I was able to run it.

[mintty]

Released 0.7.7. WSLtty should now be supporting third-party installation environments (#30).

[ryanerwin]

Unfortunately Windows Defender SmartScreen is now outright blocking the download of WSLTTY-0.7.7...

I've looked into Windows code signing a bit. First, it looks like you'll need to purchase an (SPC) code signing certificate. The most affordable that I was able to find is $80 from Comodo. For more references see this Quora post: Where can I find a free or cheap code signing certificate or aboutssl.com compare code signing certificates

centrum offers a free code signing certificate for open source authors, but requires the purchase of a $30 EUR usb token.

Once we've got the code signing certificate, we would need to sign:

• [ ] wslbridge.exe
• [x] zoo.exe
• [x] mintty.exe
• [x] cygwin-console-helper.exe
• [ ] cygwin1.dll
• [ ] wsltty-0.7.7-install.exe
• [ ] If there's an uninstaller exe (I didn't notice one) that would need to be signed too

IE, every EXE, DLL, OCX or CAB must be signed...

Use the Microsoft's SIGNTOOL command line to sign the actual binaries.

For example:

signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "wslbridge.exe"
signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "zoo.exe"
signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "mintty.exe"
signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "cygwin-console-helper.exe"
signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "cygwin1.dll"
signtool.exe" sign /f "c:\certpath\cert.p12" /p "%SIGNPASS%" "wsltty-0.7.7-install.exe"

Centrum is probably the best deal so that no additional fee is required. Note that you may need to do some certificate conversion along the way with makecert and pvk2pfx

[mintty]

If my personal domain/hosting provider offers free certificates, will that work? Or is there a distinction for dedicated "code signing" certificates?

The concept of open source projects having to pay for such a signing feature sounds somewhat alien to me and I am not familiar with the infrastructure behind it. To make that clear, I am not willing to pay anything...

[ryanerwin]

Nope, unfortunately the free certificates are connected to Letsencrypt which doesn't support (SPC) code signing certificates. The reason is that all of Letsencrypt processes are automatic, so they would not be helpful in determining if a publisher is trustworthy.

See: https://community.letsencrypt.org/t/do-you-support-code-signing/370/5

I suggest a donation button on the wsltty page.

[mintty]

See: https://community.letsencrypt.org/t/do-you-support-code-signing/370/5

So why should a certificate that assesses that the publisher controls domain xyz not be usable for code signing? Anyway, as long as those security nerds don't endeavour to present their brilliant mechanisms in clear and compact terms, and make reasonable offers to use them, I don't feel like pursueing this further.

[ryanerwin]

Sure would be unfortunate if less people end up using wsltty due to these silly code signing issues... Personally I'm amazed at how good WSL is, and how close wsltty gets to the feel of the native gnome-terminal... But conhost is soooooo horrible... Kind of a tragedy if that's the window that people are looking at WSL through...

A few ideas:

• Collect donations on the wsltty github page to fund the code signing certificate purchase and renewal
• Ask for volunteer contributors that already have a code signing certificate and can sign wsltty at each release
• Provide detailed instructions that encourage users to compile wsltty themselves

[mintty]

• Collect donations on the wsltty github page to fund the code signing certificate purchase and renewal

I guess my calculation would look like: ~80$ – expense for certificate ~200$ – compensation for effort and time spent on acquiring it ~500$ – indemnification for mental twisting about certificate quirks Don't know how long it would take to collect the lump sum...

• Ask for volunteer contributors that already have a code signing certificate and can sign wsltty at each release

Hmm. Hmmmm. I'd prefer to be able to actually build the package myself. But maybe... Aren't there any community certificates, perhaps? Or a web service offering the packaging, including the signing. From source maybe, to ensure no malware is uploaded?

• Provide detailed instructions that encourage users to compile wsltty themselves

Such instructions are available: home page, "Installation from source repository". Would be easier though if ported to native WSL build. But this would require MS to support hybrid applications (using Windows APIs from WSL).

[mintty]

See also https://github.com/mintty/wsltty/issues/20#issuecomment-274791898; the package could be wrapped in a Debian/Ubuntu package for WSL-based installation...

[PhilipDaniels]

Found this http://www.certum.eu/certum/cert,offer_code_signing.xml via https://www.reddit.com/r/opensource/comments/5qf6f7/open_source_code_signing_expenses/

Price seems to have gone up a bit though.

[mintty]

http://www.certum.eu/certum/cert,offer_code_signing.xml

If you click on "Buy now", offers look different than before. 28€ open-source, 13€ professional, that's counter-intuitive; also, would that be 28€ one-time or per year? Not very trust-building...

[mintty]

Please recheck with 0.7.7.1.

[willpower232]

no difference to https://github.com/mintty/wsltty/issues/32#issuecomment-299531333

[fti7]

Any News here? I got an Virus Warning from Symantec Endpoint Protection Version/Installer Used: 0.7.7.2

Scan type: Auto-Protect Scan Event: Security Risk Found! Security risk detected: WS.Reputation.1 File: C:\Users\xxx\Downloads\wsltty-0.7.7.2-install.exe Location: Quarantine Computer: xxx User: xxxx Action taken: Quarantine succeeded : Access denied Date found: Dienstag, 20. Juni 2017 16:51:07

[mintty]

News are:

• There's now also the option to install WSLtty from the repository (download or git checkout), provided you install a basic cygwin environment.
• Someone is planning on a third-party installer package (#30).

No news about the idea to sign the installer, whether that would help at all, and how it might work out.

[ghost]

@willpower232 By the way, you can also click "More info" on the SmartScreen warning screen and it will show the "Run anyway" option. Windows Defender doesn't block the download for me in Firefox on Windows 10 Creators Update, haven't tried Edge.

[ghost]

@fti7 WS.Reputation.1 does not mean malware, it means "likely to be a security risk" based on (indirect) community feedback. This is not surprising for an unsigned executable.

Source: https://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99

[fti7]

Sure :-) but unfortunately our Company Policy Blocks this kind of threat :-(

[lucastheisen]

The installer got blocked by our corporate scanner due to SONAR.Cryptlck!g147...

[paperclip]

According https://www.symantec.com/security_response/writeup.jsp?docid=2017-042422-5011-99 " SONAR.Cryptlck!g147 is a heuristic detection to detect known variants of the Ransom.Cryptolocker family of threats. " So it's not a direct detection, but another of the heuristic checks, that might or might not be fixed with signing. Probably best to report to symantec as a false positive.

[mintty]

... best to report to symantec as a false positive.

Thanks. May please somebody do so.

[lucastheisen]

Thanks. May please somebody do so.

Here you go:

CONFIRMATION

Your submission has been sent Sat Jul 22 08:31:33 PDT 2017. To make another submission, click here.

Sincerely,

Symantec Security Response

[lucastheisen]

Heard back from symantec... The agreed stating that after their investigation it was a false positive and will be whitelisted within the next 72 hours. I would paste the contents of their response, but the bottom of the email states that would be prohibited...

[fuzzykiller]

@mintty

So why should a certificate that assesses that the publisher controls domain xyz not be usable for code signing?

Because it does not have the appropriate certificate usage (Code Signing, OID 1.3.6.1.5.5.7.3.3) set. Even if you were to sign your code with it, it would not be a valid signature.

That being said, signing won’t help: https://security.stackexchange.com/questions/139347/smart-screen-filter-still-complains-despite-i-signed-the-executable-why

You may(!) have success with the Windows Application Certification Kit, as per this answer. I doubt it’s applicable here though.

[mintty]

Thank you for contributing this information. That means, however, that I'll probably just close this issue as there is no remedy feasible. Maybe issue #30 will help, once there is a 3rd party package.

[ukreddy-erwin]

I am facing similar issue,so I have signed our product with godaddy certificate buy purchasing it. But the screen still appears.

As in the below link it is mentioned as it depends on the download frequency.

https://stackoverflow.com/questions/33202192/windows-8-smart-screen-does-not-allow-signed-clickonce-application https://social.msdn.microsoft.com/Forums/ie/en-US/a252672b-c72a-4d98-a3c0-5929fdc446a2/-not-commonly-downloaded-may-harm-your-computer-message-with-ie-when-my-installer-is?forum=iewebdevelopment

Any isuggestions?

[mintty]

63 should eventually and finally resolve this issue.

[navossoc]

@mintty A few years ago some certification authorities supported open source projects and provided certificates for digital code signing. Like certum: https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

Not sure how it works now. It needs some research.

Anyway, to avoid for sure the Microsoft SmartScreen screen you will need a EV certificate. With a "standard" certificate you may need to build reputation, but it will be much easier than if it had not been signed at all.

About the #63, to submit Windows Store Apps you will probably need to sign it too 🤣 https://msdn.microsoft.com/en-us/library/windows/apps/br230260(v=vs.85).aspx (except you will not have to worry with the smartscreen)

Selling digital certificates is a good way to get rich. So, yeah, it sucks and maybe we are on the wrong line of work.

[mintty]

Thanks for the hint. The information on their page is ambiguous so I sent them an enquirey and got the information that there is no free service. Still unclear whether the 28€ package is sufficient or the 86€ package with hardware would be needed. However, although I could easily afford it, I see no justification for spending money on my own open source project, nor the investigation into all the know-how, to add that. Some other way will have to be found. Or not.

[navossoc]

I was reading about it and I think the "free service" become this 28€/86€ package. If they (support) really can't explain that, maybe it is best to leave at it is 😆

The process of signing the file is not complicated, at the beginning it's just a pain in the ass, but once you automate is painless.

Either way, it is not a certificate that will tell us whether the file is trusted or not. So I don't care either, I was just trying to share some knowledge 😛

Cheers.

[mintty]

Yes, thanks for sharing your knowledge. Could you perhaps share some more:

The process of signing the file is not complicated, at the beginning it's just a pain in the ass, but once you automate is painless.

... in order to save me the pain in the ass (which, as I had claimed a few times here and in other issues, I am not willing to invest :/ ), by providing reproducible steps for actual signing, preferably command-line only? (Assuming I had a certificate eventually from somewhere...)

[navossoc]

@mintty To be honest I ended up here by accident, then I saw the discussion and thrown a few words. For what I have understand, you have a installer (.exe) that is currently unsigned.

A few years ago I got a certificate for driver signing and is real pain in the ass to get started with it.

First of all, you will need to buy a code sign certificate.

There are two major kinds: Regular and EV.

• Regular: You can use it to sign a .exe, .dll, java applets, etc... (Including drivers*, but Microsoft has changed some policies on Windows 10)
• EV: It does the same thing, but will get reputation on SmartScreen.

The EV certificates are really expensive and are extremely boring to get, because they (certification authorities) sell it for companies only (there a few exceptions) and will require a hardware token to store it. It seems the EV is the only way to solve this SmartScreen issue for sure, but you may get a good reputation with a regular certificate.

After you purchase it, you will need to do some proof of identity. They will likely call you or chat with you by webcam and will require you sign some documents.

After all this bureaucracy, you will get a email with a link to generate your own certificate.

If you use Internet Explorer, the process is really painless. Just click the link, it will generate a certificate on your computer.

Having the certificate installed on your system, now you really can starting signing files. There are a few ways to do it.

The easier one, just for testing, you can use a DigiCert Certificate Utility. Just select the file and sign it. Test it and see if it works as planned.

(It really works with any certificate, it doesn't matter if the certificate is not issued by DigiCert)

Considering everything goes ok, you can start automating it... I'm using the signtool, you can get it by downloading Windows SDK.

It will be located on: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64

The docs about the tool are available here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx

You can use something like this to automate it:

@echo off
REM Tools
set SIGNTOOL="C:\Program Files (x86)\Windows Kits\10\Tools\bin\i386\signtool.exe"

REM Certificate
set CERTSHA2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
set TIMESTAMP2=/tr http://timestamp.digicert.com /td sha256

%SIGNTOOL% sign /fd sha256 /sha1 %CERTSHA2% %TIMESTAMP2% "your_installer.exe"

CERTSHA2 is the thumbprint of the certificate, you can check on the details tab.

I am not sure where you will build the installer, but for extra security... You can also export your certificate with the private key and re import it using the "strong private key protection" and making it non exportable. Be careful here, or you may need to generate another certificate.

There is another way too... You can export it to a .pfx file and use it directly from the command line with a password (/f and /p flags). This option is good if you use a build environment.

I prefer to use it on the Windows Certificate Store, because I sign files only on this computer.

Since you are targeting Windows 10, you don't need to worry with sha1 certificates and windows patches that need to be installed on the clients.

Let me know if you need more details about any step. English is not my native language, so it may be not as clear as I think I wrote it.

[]'s

[mintty]

A Windows Appx package is now available in the wsltty.appx repository. Please try to install that.

[jkraemer]

fwiw I just downloaded the 1.8.5.2install.exe and it ran just fine on Win 10 Home (10.0.17134.48). Stumbled upon this issue after the fact and checked my smart screen settings, it's all active. Probably you just got enough 'reputation' by now :)

[mintty]

Thanks for the report, so I'm closing this now.

[dclar43]

I'm currently having this issue.

From my testing all installers < 1.9.0 work just fine(I've currently got 1.8.5.2 running). Starting at 1.9.0 SmartScreen/Windows Defender will warn about it being unsigned and hitting "Run Anyway" will fail as the .exe has been deleted.

Attempting to use choco/scoop failed as well potentially for unrelated reasons, but as best I can tell they still just run the installer in the end.

The Appx repository's releases are behind but it looks like there's discussion going there.

[Biswa96]

@dclar43 You can try unsigned Appx package from https://ci.appveyor.com/project/Biswa96/wsltty-test > Visual Studio > Artifacts.

[dclar43]

@Biswa96 as this is happening on a work machine I'll need to spend a bit of time reading up on Appx and combing through the related code. So it's not likely something that I could try anytime soon. It was already quite the time sink digging through the choco/scoop files ;)

I'll keep this in mind though, thanks.