Code signing

[poma]

Uploader needs to be signed to prevent some nasty warning screens in browsers/antiviruses. I wasn't able to find any free certs for open source. The cheapest one found to date if from signum €28. Leaving this issue for later when we will have enough funds.

[ekzor]

Note the €28 figure from signum is if you have the "I have my own reader and and cryptographic card (Activation code)" option selected. I have no idea what this means, but when you turn it off the price jumps to €86.

[mikec83]

Kaspersky thinks it is malware too:

04.09.2017 17.08.03 Malicious program deleted PDM:Trojan.Win32.Generic Application name: Uploads Heroes of the Storm replay Application path: e:\downloads\hotsapiuploadersetup.exe Time: 9/4/2017 5:08 PM 04.09.2017 17.08.03 Malicious program deleted PDM:Trojan.Win32.Generic Application name: Uploads Heroes of the Storm replay Application path: c:\users\mike\appdata\local\hotsapi\app-1.3.0\hotsapi.uploader.exe Time: 9/4/2017 5:08 PM 04.09.2017 17.07.55 Malicious program terminated PDM:Trojan.Win32.Generic Application name: Hotsapi.Uploader.Windows Application path: C:\Users\mike\AppData\Local\Hotsapi\app-1.3.0\Hotsapi.Uploader.exe Time: 9/4/2017 5:07 PM 04.09.2017 17.07.55 Malicious program detected PDM:Trojan.Win32.Generic Application name: Uploads Heroes of the Storm replay Application path: e:\downloads\hotsapiuploadersetup.exe Time: 9/4/2017 5:07 PM 04.09.2017 17.07.55 Malicious program detected PDM:Trojan.Win32.Generic Application name: Uploads Heroes of the Storm replay Application path: c:\users\mike\appdata\local\hotsapi\app-1.3.0\hotsapi.uploader.exe Time: 9/4/2017 5:07 PM

[smeckl]

Both Norton AV and Windows Defender flag it as "Untrusted". Norton AV's SONAR sandboxing system flagged it as "suspicious". Code signing will solve this, but are expensive.

[poma]

Do you use latest AV update? because on VirusTotal both Symantec and Kaspersky show up as Clean

[smeckl]

It's not flagged as malware, just as "suspicious". SONAR uses heuristic behavior-based detection, not signatures. VirusTotal only uses the signature-based detection engine.

You can get it to run under Norton AV, but you have to ignore a couple of warnings first.

[ekzor]

do you think this is all because of the 'start with windows' checkbox? if so, maybe there's a other way to get it to start with windows like using the user's start menu Startup directory or something.

a lot of apps have a start with windows option.... do they all get flagged like this too?

[poma]

I think for registry based startup code signing is a big deal. Although now that windows 10 shows all startup items in task manager there shouldn't be much difference, so just historical reasons I guess.

I've started implementing shortcuts in link-based-startup branch some time ago but didn't release it because Squirrel.Windows doesn't return shortcut paths. I can hardcode them instead if it helps with AV.

[poma]

UPDATE: I failed to get a code signing cert because of how complex this process is in Russia. None of the notaries I've asked even had a clue how this verification process works, and it was hard to get some required documents because I don't have most of them, and the also needed to be translated to English and officially verified.

So yeah I've requested a refund for certificate purchase.