On Fri, Mar 2, 2012 at 4:15 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > Out of curiosity I just did another download of the OOo-dev 3.4 Windows "MSI" > r1293550 to see if the popularity contest had been won yet. > > Not yet. > > The Internet Explorer 9 download warning is > "OOo-Dev-OOO340m1_Win_x86_install_en-US.exe is not commonly downloaded and > could harm your computer." The file is already downloaded at that point, > however. The options are Delete, Actions, and View downloads (opening a > separate tool that shows downloads and status). The Actions option includes > "Don't run this program (recommended)", "Delete", and "Run Anyway." > > A "Run Anyway" or a later execution of the downloaded .exe will provoke an > User Account Control message (on default configurations, even for > administrator accounts) that warns that the file is from an unknown source > (that is, the .EXE is not signed) and that it was downloaded from the > Internet. > > I also did a custom scan of the single download file using Microsoft Security > Essentials. The scan (which is programmed to dig into these files) > identified 51916 individual items and no threats. > > All of this is tolerable and arguably appropriate for developer snapshots. > Users who use these builds need to rely on their own judgment about the > trustworthiness of the origin and the content of those files. > > Note that it is the .exe that needs to be signed. This should not be > confused with a .msi file, although I assume those can be signed also. > Apache OpenOffice does not use .msi as the packaged binary that is > downloaded. (It appears that LibreOffice has changed that.) It strikes me > that using external digest values (md5 and sh1 digests) on the download > requires a super-user skill set and should not be the only thing relied upon > for project binary releases. >
Yes,MSI's can be installed and are required to be signed for some distribution paths. Generally you want to sign what you distribute. Don't expect the I.E. or your anti-virus is going to deflate a 200 MB archive to see if some EXE inside is signed. (And then what about the DLL's?) We should be signing the whole enchilada. -Rob > -----Original Message----- > From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] > Sent: Friday, March 02, 2012 11:19 > To: ooo-dev@incubator.apache.org > Subject: RE: Symantec WS.Reputation.1 Errors: What we can do > > The web-based downloader in Internet Explorer 9 also warns about the .exe > files (not the tar.gz or Zip ones). The message is clearly a > no-reputation-yet warning. > > This is an on-line check. When the file is known to be regularly downloaded, > the report will change automatically. > > I have seen no AV warnings about the downloaded files themselves, although > there is a standard OS warning on use of such files when they were downloaded > from the internet and/or are not signed. (In Windows 8 Consumer Preview, it > is necessary to click "details" to see that there is a "Run anyhow" > selection.) > > I saw no AV warnings after the installation on any systems having Microsoft > Malware detection and regularly-updated Windows Security Essentials. > > - Dennis > > -----Original Message----- > From: Rob Weir [mailto:robw...@apache.org] > Sent: Friday, March 02, 2012 07:00 > To: ooo-dev@incubator.apache.org > Subject: Symantec WS.Reputation.1 Errors: What we can do > > Several testers have mentioned this anti-virus error when installing > the AOO 3.4 dev snapshot build. This is not a virus. > "WS.Reputation" errors come from Symantec Antivirus based on their > "reputation-based" threat assessments. Essentially, they evaluate > software that you are about to install according to a range of > factors, including how new the file is, how many other people have > installed it, whether the installer is digitally signed, etc. It is > not just one factor, but a proprietary mix of weighted factors. > > We're probably getting penalized based on several of these factors. > Note that with the final AOO 3.4 release we'll be in the same > position, since that installer will also be new,etc. > > A few things we should consider doing: > > 1) Make sure the readme file and install instructions cover this case > and explain what the user should do, e.g. "Run anyways" > > 2) We can make a request to Symantec to "whitelist" our installer. > This takes a couple of weeks for them to process. And we can';t start > this work in advance since they need the SHA-256 hash of our > installer: > > https://submit.symantec.com/whitelist/isv/ > > 3) We could digitally sign our Windows installers. Apache already > requires a detached signature. But Symantec has no idea about these. > We need traditional Windows exe code signing. This will help us with > Windows 8 as well. So it is something we probably want to look into > at some point. > > My recommendation: > > Plan on doing 1. Do 2. as soon as we have a release. Look into 3. for AOO > 4.0. > > Regards, > > -Rob >