Microsoft SmartScreen - 使用 Inno Setup 安装程序暂停?
[英]Microsoft SmartScreen - suspended using Inno Setup installer?
问题描述
I always use Inno Setup for packaging and publishing.
我总是使用 Inno Setup 进行打包和发布。 Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe用户使用链接下载应用程序,例如: https : //oursite.com/codesigned/mysetup.exe
Till now, it always worked.直到现在,它一直有效。 But recently I have to renew my code signing certificate because its expired.但最近我必须更新我的代码签名证书,因为它已过期。 After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.更新后我遇到了 SmartScreen 问题,每个用户都下载了应用程序并获得了以前没有的 Smartscreen。
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit , that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.我已经使用了signtool.exe verify /pa innosetup-made-myexe.exe并且它显示成功,我也使用Windows Application Certification Kit完成了验证,这表明它已通过,但是带有警告,所有这些警告主要由 Inno 生成设置。
Here you can find the output, where its showing WARNINGS on Inno Setup exes:在这里你可以找到输出,它在 Inno Setup exes 上显示警告:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?我该如何解决这个问题?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup) (仍然不确定它的标准代码签名与 EV 代码签名问题?我已经使用标准代码签名几年了,它总是有效。我可以升级到 EV 代码签名,但我如何确保它不是 Inno Setup 编译器问题?如您所见,警告已显示在上面 Inno Setup 的 URL 中)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594 ), I have done following:为了验证它是否是 Inno Setup 或代码签名问题(参见https://stackoverflow.com/a/29067585/285594 ),我做了以下工作:
From Microsoft, I have downloaded the file call
winqual.exe, which does not need Inno Setup.我从 Microsoft 下载了不需要 Inno Setup 的文件调用winqual.exe。I code signed the
winqual.exeand uploaded to my same server我对winqual.exe代码签名并上传到我的同一台服务器I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
我用 Internet Explorer 下载了相同的文件,它在不显示 SmartScreen 的情况下工作。
Does it make any sense now if Inno Setup is the main cause of this problem?如果 Inno Setup 是导致此问题的主要原因,现在是否有意义?
3 个解决方案
解决方案1
2 已采纳 2015-03-16 08:34:18
Nowadays, you have to use EV code signing certificates.如今,您必须使用 EV 代码签名证书。
See Transferring Microsoft SmartScreen reputation to renewed certificate .请参阅将 Microsoft SmartScreen 信誉转移到续订的证书。
Below is the original answer, which addresses some specifics of the question.以下是原始答案,它解决了问题的一些细节。
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly.如果您认为问题是由于未签名的卸载程序引起的,请确保相应地设置 Inno Setup 项目的SignTool指令。 And make sure SignedUninstaller directive has its default value yes .并确保SignedUninstaller指令具有其默认值yes 。
Quoting SignTool directive documentation :引用SignTool指令文档:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup ( and Uninstall if SignedUninstaller is set to
yes).yes则为 Uninstall )。 When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe :如果您想为卸载程序设置 NXCOMPAT 和 DYNAMICBASE 标志,您可以创建一个同时调用signtool.exe和editbin.exe的sign.bat批处理文件:
@echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.调用必须按此顺序进行,否则editbin.exe会破坏签名。
Then use the sign.bat instead of signtool.exe in the SignTool directive.然后在SignTool指令中使用sign.bat而不是signtool.exe 。
Though I do not really think this is necessary, nor helps anything.虽然我真的不认为这是必要的,也没有任何帮助。
解决方案2
1 2015-03-16 05:14:27
I think this is normal behavior.我认为这是正常的行为。 When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.当您的软件收集到足够多的“喜欢”= 下载或安装时,SmrtScreen 将自动关闭此消息。
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).这确实是一个令人讨厌的功能,因为对于每个软件版本,您都需要等待适当的时间,直到软件变得“流行”并且它被认为是安全的(没有证书或防病毒方法可以解决它)。
解决方案3
0 2021-07-25 23:17:13
You do NOT need this "Windows Application Certification Kit".您不需要这个“Windows 应用程序认证工具包”。
What @slappy says is correct: @slappy 说的是正确的:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.续订证书后,在此消息消失之前,您需要足够的下载和“好评”。
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).您需要做的是使用 Microsoft Edge(不是 Chrome 或 Firefox !!!)下载您的应用程序。
It will most likely say "This download may be dangerous and has been blocked".它很可能会说“此下载可能有危险并已被阻止”。
Then you can choose "Keep anyways".然后您可以选择“始终保留”。 And then you can choose "Report as Secure".然后您可以选择“报告为安全”。
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".然后即使 Smart Screen 说它不信任你的应用程序(即使它是数字签名的,大声笑!!!),那么你必须选择“更多...”和“无论如何安装”。
Install it on your computer!安装在你的电脑上! I think that is important.我认为这很重要。
I have used 5 different computers and reported my apps as secure multiple times and installed it.我使用了 5 台不同的计算机并多次报告我的应用程序是安全的并安装了它。
I have also asked 2 friends (because of their different IP address) to do the same.我也问过 2 个朋友(因为他们的 IP 地址不同)做同样的事情。
I hate this so much!!!!!!!!!!我非常讨厌这个!!!!!!!!!! After 1 day, the error message was gone. 1 天后,错误消息消失了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.