8.0 release binary for Windows, SmartScreen

[John Clements]

Hi there, racket-dev!

I’m writing to you today on behalf of the racket release team, to ask for your help and your advice.

Specifically, the release candidates for racket 8.0 for Windows are currently available at these URLs

https://mirror.racket-lang.org/installers/8.0/racket-8.0-x86_64-win32.exe
https://mirror.racket-lang.org/installers/8.0/racket-8.0-x86_64-win32-bc.exe
https://mirror.racket-lang.org/installers/8.0/racket-8.0-i386-win32.exe
https://mirror.racket-lang.org/installers/8.0/racket-8.0-i386-win32-bc.exe

Unfortunately, Microsoft’s SmartScreen currently flags these binaries as “blocked because it could harm your device” when downloading using Edge, and possibly malicious at installation time when downloaded using another browser.

Our research suggests that the solution to this is … just to download it a lot. Also, to download it using Edge, and use the three-dots menu to report it as a safe website. We’ve submitted the file to Microsoft, and they cheerfully reported that the file would no longer be flagged. Unfortunately, this is clearly not the case.

So, we’re asking for help of two different kinds.

1) If you use Windows, please take a minute to download and install the binary from one of these URLs. Plus, you get a special *PREVIEW* copy of 8.0, you lucky duck!

If you get the chance to do this, we’d also be grateful if you would fill out this five-multiple-choice google form, so we have some idea of how many people are actually doing this *and* whether people are still seeing the smartscreen warnings.

https://docs.google.com/forms/d/e/1FAIpQLSf0pT1B0Xho5ZsyEg5i8LiSMoZk3hXkugD7GflpkcZVj6VOfg/viewform?usp=sf_link

2) If you use Windows and you have experience that would suggest that we’re somehow misunderstanding this situation, we’d love to hear about it.

Many thanks!

John Clements

[Dominik Pantůček]

Hi John and others at racket-dev,

>
> 2) If you use Windows and you have experience that would suggest that we’re somehow misunderstanding this situation, we’d love to hear about it.

although I am not using Windows, we've been developing some software
that needs direct hardware access for quite some time now here at my
company.

We faced a similar situation in 2019 and apparently there is only one
"ultimate" solution: get an EV signing certificate from a CA trusted by
Microsoft to sign binaries. Truth is that getting it here in Central
(ehm, ehm, Eastern) Europe is almost impossible.

Getting OV certificate lowers the required number of
downloaded/installed instances before the SmartScreen warning goes away.
Getting EV one makes it go away immediately (usually - exceptions are
sadly not unheard of).

We followed the documentation for Windows drivers (which have the
strictest rules) at
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
- similar approach might help here as well.


Cheers,
Dominik

[John Clements]

Wow, that’s incredibly informative and helpful. Out of curiosity, do you have any ballpark idea what the number of downloads required for something to be listed as trusted is?

John

> --
> You received this message because you are subscribed to the Google Groups "Racket Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/04ec296a-292e-26ca-ea91-d7221aa5ffb4%40trustica.cz.

[Dominik Pantůček]

On 11. 02. 21 0:14, 'John Clements' via Racket Developers wrote:
> Wow, that’s incredibly informative and helpful. Out of curiosity, do you have any ballpark idea what the number of downloads required for something to be listed as trusted is?

I asked my colleague who was handling this back then and frankly the
answer is no.

Dominik

[Dyllon Gagnier]

Still seeing this as of the time of this writing. Edge Dev flags it immediately and other browsers download the file, but then the file is flagged when you try to run it.

I filled out the Google Form and just wanted to update on this thread to let people know that this still seems to be an issue.

As a workaround until this is fixed, maybe put a warning about it on the download page for Windows as well as the file hash in case people want to verify it.

I tested out forcing the installer to run as non-admin via "cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" racket-8.0-x86_64-win32-cs.exe"

and that resulted in no prompt being raised. Running it directly from cmd still raises the error. However, running directly from am admin cmd prompt also

launched the installer with no warnings. The issue seems to be caused by the fact that the installer immediately tries to elevate to admin.

I think it may be possible to get the installer to work without admin as long as Racket installs outside of Program Files. I know some installers only

elevate to admin if the user requests to do a system wide install. I tested this out about a year ago and the Racket installer doesn't actually need admin permissions.

I verified this by using the RUNASINVOKER trick since this was on a work machine were I did not have admin permissions.

[John Clements]

That’s an interesting point. One thing to keep in mind is that many of our users are installing DrRacket in educational settings, where the program is to be available to all users. Is it possible to install without admin privileges in a way that makes it available to all users?

John

> --
> You received this message because you are subscribed to the Google Groups "Racket Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/eb7fffd8-554c-4aad-bb81-05271d0fa0c8n%40googlegroups.com.

[alexha...@gmail.com]

There are actually three "warning" dialogs that the user has to pass through:

* the first one comes from Edge, as it flags the file as "unsecure download" -- I suspect Edge is more careful about "new files" that it sees, and displays the warning.  If the user runs the file, Edge will send the files hash to its servers, and if enough users download it, it will stop displaying the warning, assuming it is safe.

* the second one is the "This file is downloaded from the internet" warning, which is displayed for any file downloaded from the internet.  The warning is displayed for files which have an "Alternate Data Stream" and an ADS is created on download.  You can look at the alternate data streams using the "dir /r" command.  For racket it shows that it has a "Zone.Identifier" alternate data stream:

dir /r racket-8.0-x86_64-win32-cs.exe

 Volume in drive C is Windows

 Directory of C:\Users\aharsanyi\Downloads

02/15/2021  01:24 PM       181,647,576 racket-8.0-x86_64-win32-cs.exe

                                   159 racket-8.0-x86_64-win32-cs.exe:Zone.Identifier:$DATA

               1 File(s)    181,647,576 bytes

               0 Dir(s)  235,121,123,328 bytes free

The ADS can be opened as a file in notepad using: "notepad.exe racket-8.0-x86_64-win32-cs.exe:Zone.Identifier", which for Racket contains:

[ZoneTransfer]

ZoneId=3

ReferrerUrl=https://download.racket-lang.org/

HostUrl=https://mirror.racket-lang.org/installers/8.0/racket-8.0-x86_64-win32-cs.exe

There are tools to remove these alternate data streams, the ADS will be created on download and the user has to either explicitly remove it or deal with the warning dialog.   ZoneID=3 means the file is from the "internet", ZoneID=2 would mean that it comes from a list of "trusted sites" and ZoneID=4 indicates that the file comes from sites that have been identified as malicious.  The zone comes from the Windows internet settings.  Not sure if it is affected by the file being signed with an EV certificate.

* the third dialog shows up when the application wants to install for all users, this is the "this software wants to make changes to your computer..." warning.   The warning shows up for all software which requests elevated privileges, but the header of the dialog is blue for signed applications and yellow for unsigned ones (I assume it would be red for software which is identified as bad, but I have never seen that).  This dialog does not show up if you try to install the application for the local user only, but of course, in such a case, the application is only available for the current user.

Alex.

[hashim....@gmail.com]

I tried doing the same thing as Alex, as in, dir /p, and got this:

C:\Users\hashim\Downloads>dir /r racket-8.0-x86_64-win32-cs.exe
 Volume in drive C has no label.
 Volume Serial Number is 92D9-2ACE

 Directory of C:\Users\hashim\Downloads

24/02/2021  06:03 pm       181,647,576 racket-8.0-x86_64-win32-cs.exe
                                     7 racket-8.0-x86_64-win32-cs.exe:SmartScreen:$DATA
               1 File(s)    181,647,576 bytes
               0 Dir(s)  348,551,905,280 bytes free

Tried opening the file in notepad, i.e.:

C:\Users\hashim\Downloads>notepad.exe racket-8.0-x86_64-win32-cs.exe:SmartScreen:$DATA

The contents of the file are just this:
Anaheim

Maybe this is helpful in some way.