Installer cannot be run without bypassing Windows Defender Smartscreen #398
Comments
|
Thank you for raising this issue and the detailed description! I didn't notice any problems with Defender SmartScreen so far, but maybe I have a different setup and we don't use Microsoft Defender in the company. The EV code signing certificate is more than 10 times the price of the current one. That's too expensive. On the other hand providing the installer through the Microsoft Store seems to be a good way to get more reputation and to spread ruby to more users at the same time. Python is also there and the publishing process seems to be manageable. I already read all the documentation of the process and so far I see only some minor issues to be fixed. The rest is already in a good shape. Years ago I was checking this publishing way, but it was technically difficult to that time. The download notification text is also a good idea, but I'd like to fix it at the root rather than fixing symptoms. |
|
Thanks Lars.
Distributing Ruby though the Microsoft Store idea sounds like a great idea.
…On Mon, 9 Dec 2024 at 06:35, Lars Kanis ***@***.***> wrote:
Thank you for raising this issue and the detailed description! I didn't
notice any problems with Defender SmartScreen so far, but maybe I have a
different setup and we don't use Microsoft Defender in the company.
The EV code signing certificate is more than 10 times the price of the
current one. That's too expensive. On the other hand providing the
installer through the Microsoft Store seems to be a good way to get more
reputation and to spread ruby to more users at the same time. Python is
also there and the publishing process seems to be manageable. I already
read all the documentation of the process and so far I see only some minor
issues to be fixed. The rest is already in a good shape. Years ago I was
checking this publishing way, but it was technically difficult to that time.
The download notification text is also a good idea, but I'd like to fix it
at the root rather than fixing symptoms.
—
Reply to this email directly, view it on GitHub
<#398 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACFGSNOLBV33RJSPRAERDOT2ESUQLAVCNFSM6AAAAABTHFSI7SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRWGM3TAMBRHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Same issue with ruby 3.3.6-2 (x64) without devkit. Windows Specifications:
|
|
If the publisher is "Open Source Developer, Lars Kanis" then the downloaded file is unmodified and safe to use. It's a false positive of the Microsoft Defender. We're working on this issue. Sorry for the inconvenience! |
What problems are you experiencing?
Message "Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk" is shown when running the installer.
This may be a long-standing issue?
I have tested with versions 3.2.6-1 x64, 3.2.6-1 x32, 3.1.6-1 x64.
Steps to reproduce
Download installer and run.
What's the output from
ridk version?N/A
The certificate for the installers looks good as 1) it's created by Certum Certificate Authority with valid dates, 2) Certum is a member of Windows trusted root cerificates program.
https://learn.microsoft.com/en-us/security/trusted-root/participants-list
However, that fact that this may not an Extended Validation (EV) code certificate may explain why the installer is unrecognised.
https://learn.microsoft.com/en-us/archive/blogs/ie/microsoft-smartscreen-extended-validation-ev-code-signing-certificates
Note that a workaround may be reassure users that it's ok to bypass SmartScreen when installing. This could involve changing the page:
https://rubyinstaller.org/downloads/
to mention this.
e.g. something like:
Note that Windows Defender SmartScreen may flag the installer as unrecognised and will prevent the app from starting. This is because Microsoft is trying to protect you from malicious apps. Unfortunately, Microsoft also requires organisations to pay for validation.
Please click the box "More info" and then "Run anyway" to install. If you are concerned about whether the installer has been tampered with you can verify the PGP signature of the download.
OS:
Edition Windows 10 Pro
Version 22H2
Installed on 21/08/2021
OS build 19045.5131
Experience Windows Feature Experience Pack 1000.19060.1000.0
The text was updated successfully, but these errors were encountered: