search

spring-attic / spring-ide

Spring Development Environment for Eclipse
300 stars 126 forks source link

STS-3-9-10 (Windows zip) Hash mismatch on STS.exe #400

Closed captaincaaaaveman closed 4 years ago

captaincaaaaveman commented 4 years ago

In the windows 3-9-10 download the STS.exe is signed but there is a hash mismatch (which triggers malicious code detection software).

I have checked the MD5 signature for the ZIP file and that matches, and I have re-extracted from a different zip file - so it is not unlikely to be due to file corruption.

image

martinlippert commented 4 years ago

You reported this on SO, too:

https://stackoverflow.com/questions/58819600/hashmismatch-on-sts-exe-in-sts-3-9-10-release-windows-zip/58832777

I think it would be good if you would cross-reference those postings when you decide to post the exact same question to multiple forums to avoid people doing the work to look into those questions multiple times.

I posted an answer to the SO question above. Short version: we do NOT sign the Windows executable of our STS4 distribution, so the error looks to be related to a false warning of your malicious code detection software).

martinlippert commented 4 years ago

As written in a comment here: https://stackoverflow.com/questions/58819600/hashmismatch-on-sts-exe-in-sts-3-9-10-release-windows-zip/58832777?noredirect=1#comment103942961_58832777 - the signing signature might come from the Eclipse executable that serves as a base for the STS executable in the build. We need to investigate this.

captaincaaaaveman commented 4 years ago

Cheers @martinlippert - You probably already know/suspect this but I can confirm that this is still a problem on STS 4.4.1.

Also fwiw - It was also not a problem on 3.9.6, I'm guessing because the eclipsec.exe was not signed on that version.

martinlippert commented 4 years ago

I started with the Spring Tools 4 for Eclipse and added signing of the Windows executable to it. Can you double check this? You can download the latest nightly build from here:

https://dist.springsource.com/snapshot/STS4/nightly-distributions.html

Grab one of the Windows distributions and try it. Would be great to know whether that works for you. If so, I will go ahead and add the signing mechanics to the STS3 builds, too.

captaincaaaaveman commented 4 years ago

@martinlippert - Perfect; It looks good and the Powershell command Get-AuthenticodeSignature .\SpringToolSuite4.exe now returns State=Valid

Thanks very much

martinlippert commented 4 years ago

Awesome, thanks for the feedback, much appreciated!