[Ente Auth] Desktop app installer rejected by Microsoft Defender SmartScreen due to Unknown publisher #1297
Comments
vishnukvmd
added
--desktop
|
This is something I have also experienced. I want to be able to access my personal accounts from my work PC and I'm unable to run the exe or install it because the program publisher verification failed. If the application was signed, I would be able to use Ente. I'll be watching this one closely as I cannot migrate to Ente until I can get past this. |
|
Confirmed in photos desktop 1.7.1-rc |
|
To update this report, I downloaded Ente Auth v3.0.13 and the program publisher no longer says "Unknown Publisher" but now SAYS "Ente". This is in the right direction but it's still failing Windows smart screen and says publisher verification failed. |
|
Same with photos-desktop 1.7.2 |
|
I am not even having an option to "Run Anyway" when trying to run the latest portable/standalone and other windows apps But they have to do something about the portable standalone windows app as well ! |
|
I was hoping to migrate to Ente Auth too as it looks great. Alas I also got the Smartscreen warning. I was able to "run anyway" then Trend Micro blocked it stating it was Malware. All sorts of alarms are probably going off in my IT department now as it's on my work PC. Back to my 2nd option of using 2FAS unfortunately. Will be great if they get this resolved. |
|
My company is moving in big ways to implement EDR and EPM. In the near future I will be restricted from running unverified apps. I switched to Ente after twilio killed the authy desktop client. I'd very much like to see this as a clean install so I don't jammed up in the future. At a certain point I won't be able to update if the installers continue to be unsigned. |
|
With how privacy and security focused Ente is, I would expect that code signing would be a priority. Not having a Flatpak and on Windows not using the app sandbox, aka always granting full system access, is bad enough, but then at least sign your executables that you expect us to grant full system access... |
|
@Dosenwerfer yeah and also the Windows Smartscreen warning also deter new user because they think this app is malicious |
|
@dnet890 and rightfully so, unsigned and unsandboxed executables are not to be trusted by anyone but the person who built them, especially not with something as sensitive as the private key to all your media and furthermore access to the entire system (unsandboxed Windows executable). I'm not even sure whether Ente Photos complies with reproducible build standards, so even if one were to make the effort, we might not even be able to verify the integrity of the binaries by building from source and comparing the outputs. |
|
Microsoft expects publishers to purchase a paid certificate, which we have been deferring. Since the problem has now become severe, we will invest time and resources. Please be patient, and mindful that Auth is a free, open source project. |
|
Good to hear that you will address it. It doesn't just affect the Auth installer though, no? Last time I checked, the Photos installer was also rejected / warned about by SmartScreen due to the missing signature. This was when I wanted to help install it on a family member's Windows machine, whom I wanted to share my paid plan with, and this wasn't exactly trust-inducing after I had just made the effort of convincing them to make the switch with their memories to a provider they didn't know yet and just took my word for it. Even I myself was pretty taken off guard by this and double checked the website's TLS certificate to get at least some level of authenticity. Or has this been fixed for Photos in the meantime? |
|
The issue has not been as severe on Photos, likely because it is not built on Flutter. Once we've solved the issue for Auth, we can replicate that solution for Photos as well. In the meantime, if you're aware of FOSS projects that use GitHub actions for signed reproducible builds, do let us know. |
|
I realize this is free and I am thankful for you guys creating the best available cross-platform FOSS synced TOTP authenticator! This issue is creating quite a lot of negative feedback when I try to recommend Ente Auth in relevant security forums.
If the issue is caused by Flutter, why does the portable ZIP version of Ente Auth for Windows not have the same issue? Would it help to utilize a different Windows installer utility? The ZIP appears to be clean (even when testing most files individually):
But, the current regular Windows installer now has 13 detections including CrowdStrike, Google, TrendMicro, and Microsoft: |
|
The original warning about not running a exe you downloaded is completely different than defender detecting and naming a trojan..
|
Thank you for the analysis. We have changed the Windows build process to use ZIP compression instead of Virustotal Scan result for 4.3.2 executable 🤷♂ |
|
That seems to have cleared up the MS alerts, using the latest version Antivirus Version: 1.421.1576.0, downloaded this morning shows the 4.3.2 as clean. |
Description
When attempting to install ente-auth-v2.0.50-installer.exe - the latest release for Windows, Microsoft SmartScreen prompts the user to either "Run anyway" or "Don't run" due to Running this app might put your PC at risk.
With Ente auth being a security related/adjacent resource (which I'm grateful for - thank you and congrats on the Desktop release!) this is probably something that would ideally not pop.
Version
v2.0.50
What product are you using?
Ente Auth
What platform are you using?
Desktop - Windows
The text was updated successfully, but these errors were encountered: