Re: Sign the installers
On Thursday, 28 June 2018 at 07:35:13 UTC, Radu wrote: On Wednesday, 27 June 2018 at 23:54:55 UTC, Manu wrote: [...] This can be done easily, you need something like this on the Linux build server --- osslsigncode sign -pkcs12 dlang-cert.pkcs12.p12 -pass `cat dlang-cert.pkcs12.pwd` -n "Dlang installer" -i http://www.dlang.org/ -t http://timestamp.verisign.com/scripts/timstamp.dll -in ./org_setup.exe -out ./signed_setup.exe --- I think the SSL certificate can be used to create the pkcs12.p12 one used for signing. A more detailed read for the `osslsigncode` tool https://github.com/antoinevg/osslsigncode/blob/master/README
Re: Sign the installers
On Wednesday, 27 June 2018 at 23:54:55 UTC, Manu wrote: Hey people, So I had a few people in the office refuse to install DMD because when they launched the installer, Windows displayed the prompt that it was untrusted (ie, unsigned) and not offer the install button without manual override. True also for VisualD. Can we get a key and start signing the install packages? It would be super-cool to sign the 2.081 release since it's like, imminent ;) - Manu This can be done easily, you need something like this on the Linux build server --- osslsigncode sign -pkcs12 dlang-cert.pkcs12.p12 -pass `cat dlang-cert.pkcs12.pwd` -n "Dlang installer" -i http://www.dlang.org/ -t http://timestamp.verisign.com/scripts/timstamp.dll -in ./org_setup.exe -out ./signed_setup.exe --- I think the SSL certificate can be used to create the pkcs12.p12 one used for signing.
Re: Sign the installers
On Thursday, 28 June 2018 at 05:57:36 UTC, Seb wrote: On Wednesday, 27 June 2018 at 23:54:55 UTC, Manu wrote: Hey people, So I had a few people in the office refuse to install DMD because when they launched the installer, Windows displayed the prompt that it was untrusted (ie, unsigned) and not offer the install button without manual override. True also for VisualD. Can we get a key and start signing the install packages? It would be super-cool to sign the 2.081 release since it's like, imminent ;) - Manu For the record, the releases are already signed: http://downloads.dlang.org/releases/2018/ dmd.2.080.1.windows.zip.sig dmd.2.080.1.windows.zip dmd.2.080.1.windows.7z.sig dmd.2.080.1.windows.7z Though I know that a PGP signature isn't what you are looking for ;-) Yes it is not. What is needed is for the D Language Foundation to obtain a code signing certificate from a trusted by Microsoft certificate authority and then to sign each individual .exe and .dll part of official realease both in the .7z archive and then the .exe installer as a whole. See also: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85) https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
Re: Sign the installers
On Wednesday, 27 June 2018 at 23:54:55 UTC, Manu wrote: Hey people, So I had a few people in the office refuse to install DMD because when they launched the installer, Windows displayed the prompt that it was untrusted (ie, unsigned) and not offer the install button without manual override. True also for VisualD. Can we get a key and start signing the install packages? It would be super-cool to sign the 2.081 release since it's like, imminent ;) - Manu For the record, the releases are already signed: http://downloads.dlang.org/releases/2018/ dmd.2.080.1.windows.zip.sig dmd.2.080.1.windows.zip dmd.2.080.1.windows.7z.sig dmd.2.080.1.windows.7z Though I know that a PGP signature isn't what you are looking for ;-)
Re: Sign the installers
On Thursday, 28 June 2018 at 01:34:22 UTC, Jonathan M Davis wrote: On Wednesday, June 27, 2018 17:59:42 Brad Roberts via Digitalmars-d wrote: On 6/27/2018 5:34 PM, Jonathan M Davis via Digitalmars-d wrote: > On Wednesday, June 27, 2018 17:26:36 Manu via Digitalmars-d > wrote: >> I guess people feel nervous about installing allegedly >> potentially dangerous software on their corporate >> workstation. > > Honestly, that's exactly the sort of thing that I always > ignore. I'd pay > attention if anti-virus software outright said that it found > a virus, > but > "unrecognized software?" That's exactly the sort of thing > that's just > going to get me pissed off at Microsoft for getting in my > way. Though > honestly, Microsoft pops up so many useless messages that it > becomes > easy to miss any that actually matter, because you have to > skip through > so many of them all the time that you stop paying attention > to them. > So, I'm definitely surprised to hear about programmers > refusing to > install something just because Microsoft doesn't recognize > it. > > - Jonathan M Davis It's all about removing resistance and raising the level of professionalism. D isn't a hobby project and shouldn't act like one. This is an obvious barrier that's worth removing. In this day and age of rampant actively dangerous software, it's an obvious improvement to sign it and make the strong claim that this is produced and vended by the d foundation and we vouch for it's contents. We already do for some (all?) of the posix distribution bundles. Well, as I said in my initial response, I have no problem with the installer being signed. I'm just surprised that any programmers would care. The issue in professional setting is not just necessarily about the programmer himself but the policies of its company or the IT team in charge of the devs PC. As stated elsewhere, I work in a public adminsitration and the IT is handled by another directorate than the directorate I work for. The IT department is in charge of more than 15,000 PC's. You can imagine that they do everything to have their control over that fleet by normalising and tightening policies. They acknowledge that the developpers need a little bit more leverage and freedom on their machines by providing some local admin rights, but even with that, it is sometime quite difficult to install anything not from the official approved list. Unfortunately, D has been quite annoying to install. The last version i.e. 2.080 for instance didn't install as there is one of the binaries that get quarantained by the anti-virus. Anti-virus I cannot influence because local admin rights are not sufficient to whitelist a file. Installing 64 bit code is also a chore as dmd delegates the installation of the required libs to the Microsoft installer. The problem, the Microsoft installer is incapable to get through our proxy and there's no offline installation option anymore since 2017. I know it's a Microsoft issue, but it is part of the things that makes using D quite challenging. I'm highy motivated and am not pressed by deadlines so it doesn't bother me too much, but I can imagine that somehow reluctant devs will stop at the first hurdle encountered.
Re: Sign the installers
It's all about removing resistance and raising the level of professionalism. D isn't a hobby project and shouldn't act like one. This is an obvious barrier that's worth removing. In this day and age of rampant actively dangerous software, it's an obvious improvement to sign it and make the strong claim that this is produced and vended by the d foundation and we vouch for it's contents. We already do for some (all?) of the posix distribution bundles. Well said, thanks.
Re: Sign the installers
On Wednesday, June 27, 2018 17:59:42 Brad Roberts via Digitalmars-d wrote: > On 6/27/2018 5:34 PM, Jonathan M Davis via Digitalmars-d wrote: > > On Wednesday, June 27, 2018 17:26:36 Manu via Digitalmars-d wrote: > >> I guess people feel nervous about installing allegedly potentially > >> dangerous software on their corporate workstation. > > > > Honestly, that's exactly the sort of thing that I always ignore. I'd pay > > attention if anti-virus software outright said that it found a virus, > > but > > "unrecognized software?" That's exactly the sort of thing that's just > > going to get me pissed off at Microsoft for getting in my way. Though > > honestly, Microsoft pops up so many useless messages that it becomes > > easy to miss any that actually matter, because you have to skip through > > so many of them all the time that you stop paying attention to them. > > So, I'm definitely surprised to hear about programmers refusing to > > install something just because Microsoft doesn't recognize it. > > > > - Jonathan M Davis > > It's all about removing resistance and raising the level of > professionalism. D isn't a hobby project and shouldn't act like one. > This is an obvious barrier that's worth removing. In this day and age > of rampant actively dangerous software, it's an obvious improvement to > sign it and make the strong claim that this is produced and vended by > the d foundation and we vouch for it's contents. We already do for some > (all?) of the posix distribution bundles. Well, as I said in my initial response, I have no problem with the installer being signed. I'm just surprised that any programmers would care. - Jonathan M Davis
Re: Sign the installers
On Wednesday, 27 June 2018 at 23:54:55 UTC, Manu wrote: Hey people, So I had a few people in the office refuse to install DMD because when they launched the installer, Windows displayed the prompt that it was untrusted (ie, unsigned) and not offer the install button without manual override. True also for VisualD. Can we get a key and start signing the install packages? It would be super-cool to sign the 2.081 release since it's like, imminent ;) - Manu Also please add a sha1 or something like it
Re: Sign the installers
On 6/27/2018 5:34 PM, Jonathan M Davis via Digitalmars-d wrote: On Wednesday, June 27, 2018 17:26:36 Manu via Digitalmars-d wrote: I guess people feel nervous about installing allegedly potentially dangerous software on their corporate workstation. Honestly, that's exactly the sort of thing that I always ignore. I'd pay attention if anti-virus software outright said that it found a virus, but "unrecognized software?" That's exactly the sort of thing that's just going to get me pissed off at Microsoft for getting in my way. Though honestly, Microsoft pops up so many useless messages that it becomes easy to miss any that actually matter, because you have to skip through so many of them all the time that you stop paying attention to them. So, I'm definitely surprised to hear about programmers refusing to install something just because Microsoft doesn't recognize it. - Jonathan M Davis It's all about removing resistance and raising the level of professionalism. D isn't a hobby project and shouldn't act like one. This is an obvious barrier that's worth removing. In this day and age of rampant actively dangerous software, it's an obvious improvement to sign it and make the strong claim that this is produced and vended by the d foundation and we vouch for it's contents. We already do for some (all?) of the posix distribution bundles.
Re: Sign the installers
On Thursday, 28 June 2018 at 00:15:54 UTC, Jonathan M Davis wrote: On Wednesday, June 27, 2018 16:54:55 Manu via Digitalmars-d wrote: Hey people, So I had a few people in the office refuse to install DMD because when they launched the installer, Windows displayed the prompt that it was untrusted (ie, unsigned) and not offer the install button without manual override. True also for VisualD. Can we get a key and start signing the install packages? It would be super-cool to sign the 2.081 release since it's like, imminent ;) I'm certainly not against getting it signed (though I have no idea what's involved with that). However, I'm surprised that anyone actually pays attention to that or cares. - Jonathan M Davis My AV at work actually blocks DMD, so signing it would also help with whitelisting it and other D tools (I manage the AV anyways so I just moved myself to a more lax policy). I wouldn't be too surprised if this is the case elsewhere.
Re: Sign the installers
On Wednesday, June 27, 2018 17:26:36 Manu via Digitalmars-d wrote: > On Wed, 27 Jun 2018 at 17:24, Manu wrote: > > On Wed, 27 Jun 2018 at 17:16, Jonathan M Davis via Digitalmars-d > > > > wrote: > > > On Wednesday, June 27, 2018 16:54:55 Manu via Digitalmars-d wrote: > > > > Hey people, > > > > > > > > So I had a few people in the office refuse to install DMD because > > > > when > > > > they launched the installer, Windows displayed the prompt that it > > > > was > > > > untrusted (ie, unsigned) and not offer the install button without > > > > manual override. > > > > True also for VisualD. > > > > > > > > Can we get a key and start signing the install packages? > > > > > > > > It would be super-cool to sign the 2.081 release since it's like, > > > > imminent ;) > > > > > > I'm certainly not against getting it signed (though I have no idea > > > what's > > > involved with that). However, I'm surprised that anyone actually pays > > > attention to that or cares. > > > > Windows hides the install button from you, you have to press the > > underlined "More Info" text (at the bottom of the "It's so unsafe > > bro!" blurb), and then "Run Anyway". > > It says "Windows Defender SmartScreen prevented an unrecognized app > > from starting. Running this app might put your PC at risk.", which > > looks threatening! > > I guess people feel nervous about installing allegedly potentially > dangerous software on their corporate workstation. Honestly, that's exactly the sort of thing that I always ignore. I'd pay attention if anti-virus software outright said that it found a virus, but "unrecognized software?" That's exactly the sort of thing that's just going to get me pissed off at Microsoft for getting in my way. Though honestly, Microsoft pops up so many useless messages that it becomes easy to miss any that actually matter, because you have to skip through so many of them all the time that you stop paying attention to them. So, I'm definitely surprised to hear about programmers refusing to install something just because Microsoft doesn't recognize it. - Jonathan M Davis
Re: Sign the installers
On Wed, 27 Jun 2018 at 17:24, Manu wrote: > > On Wed, 27 Jun 2018 at 17:16, Jonathan M Davis via Digitalmars-d > wrote: > > > > On Wednesday, June 27, 2018 16:54:55 Manu via Digitalmars-d wrote: > > > Hey people, > > > > > > So I had a few people in the office refuse to install DMD because when > > > they launched the installer, Windows displayed the prompt that it was > > > untrusted (ie, unsigned) and not offer the install button without > > > manual override. > > > True also for VisualD. > > > > > > Can we get a key and start signing the install packages? > > > > > > It would be super-cool to sign the 2.081 release since it's like, imminent > > > ;) > > > > I'm certainly not against getting it signed (though I have no idea what's > > involved with that). However, I'm surprised that anyone actually pays > > attention to that or cares. > > Windows hides the install button from you, you have to press the > underlined "More Info" text (at the bottom of the "It's so unsafe > bro!" blurb), and then "Run Anyway". > It says "Windows Defender SmartScreen prevented an unrecognized app > from starting. Running this app might put your PC at risk.", which > looks threatening! I guess people feel nervous about installing allegedly potentially dangerous software on their corporate workstation.
Re: Sign the installers
On Wed, 27 Jun 2018 at 17:16, Jonathan M Davis via Digitalmars-d wrote: > > On Wednesday, June 27, 2018 16:54:55 Manu via Digitalmars-d wrote: > > Hey people, > > > > So I had a few people in the office refuse to install DMD because when > > they launched the installer, Windows displayed the prompt that it was > > untrusted (ie, unsigned) and not offer the install button without > > manual override. > > True also for VisualD. > > > > Can we get a key and start signing the install packages? > > > > It would be super-cool to sign the 2.081 release since it's like, imminent > > ;) > > I'm certainly not against getting it signed (though I have no idea what's > involved with that). However, I'm surprised that anyone actually pays > attention to that or cares. Windows hides the install button from you, you have to press the underlined "More Info" text (at the bottom of the "It's so unsafe bro!" blurb), and then "Run Anyway". It says "Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", which looks threatening!
Re: Sign the installers
On Wednesday, June 27, 2018 16:54:55 Manu via Digitalmars-d wrote: > Hey people, > > So I had a few people in the office refuse to install DMD because when > they launched the installer, Windows displayed the prompt that it was > untrusted (ie, unsigned) and not offer the install button without > manual override. > True also for VisualD. > > Can we get a key and start signing the install packages? > > It would be super-cool to sign the 2.081 release since it's like, imminent > ;) I'm certainly not against getting it signed (though I have no idea what's involved with that). However, I'm surprised that anyone actually pays attention to that or cares. - Jonathan M Davis