With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives).

I propose the D Foundation acquire a code signing certificate and we start using it for releases. Alternatively any well known organization member could be the signer (having "The D Foundation" on the popup sure would look nice though). I'd be happy to put my money where my mouth is and chip in some of the money to cover the certificate cost.

I've used StartSSL's code signing certificates successfully for this purpose but I imagine any vendor will do. The biggest hassle is certificate format conversion but once you've got the certificate in the Windows certificate store signing is just a command line call that can be easily scripted.

There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065

On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:
> With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives).
>
> I propose the D Foundation acquire a code signing certificate and we start using it for releases. Alternatively any well known organization member could be the signer (having "The D Foundation" on the popup sure would look nice though). I'd be happy to put my money where my mouth is and chip in some of the money to cover the certificate cost.
>
> I've used StartSSL's code signing certificates successfully for this purpose but I imagine any vendor will do. The biggest hassle is certificate format conversion but once you've got the certificate in the Windows certificate store signing is just a command line call that can be easily scripted.
>
> There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065

Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here.

On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:
> On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:
>> With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives).
>>
>> I propose the D Foundation acquire a code signing certificate and we start using it for releases. [...]
> Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here.

Mmmh I discredite myself, I meant rolling on floor laughing...

Anyway do you imagine the AV publisher policy against dev, "If your binaries are signed, we promise, you won't have false positive..." i.e: "buy a certificate".

How this is called in everyday's world ? racketeering ?

On Monday, 15 August 2016 at 19:08:56 UTC, Basile B. wrote:
> How this is called in everyday's world ? racketeering ?

exactly.

On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:
> On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:
>> With all of the issues people are having with Windows Defender now would be a good time to start code signing the Windows installer and binaries (doing this is the first thing Microsoft suggests on their page for Software Developers about Windows Defender false positives).
>>
>> I propose the D Foundation acquire a code signing certificate and we start using it for releases. Alternatively any well known organization member could be the signer (having "The D Foundation" on the popup sure would look nice though). I'd be happy to put my money where my mouth is and chip in some of the money to cover the certificate cost.
>>
>> I've used StartSSL's code signing certificates successfully for this purpose but I imagine any vendor will do. The biggest hassle is certificate format conversion but once you've got the certificate in the Windows certificate store signing is just a command line call that can be easily scripted.
>>
>> There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065
>
> Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here.

No. Of course not.

To quote Microsoft: "Signing your program’s files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases this can result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers."

At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet.

Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well).

Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said).

On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:
> At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet.
>
> Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well).
>
> Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said).

Unfortunately until Walter agrees to introduce some moderation around here, you need to ignore the trolls - they feed from negative energy (OT: https://www.youtube.com/watch?v=FMEe7JqBgvg).

I think it's a great idea & you should definitely get in touch with the Martin Nowak!

On Monday, 15 August 2016 at 20:07:30 UTC, Seb wrote:
> On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:
>> At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet.
>>
>> Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well).
>>
>> Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said).
>
> Unfortunately until Walter agrees to introduce some moderation around here, you need to ignore the trolls - they feed from negative energy (OT: https://www.youtube.com/watch?v=FMEe7JqBgvg).
>
> I think it's a great idea & you should definitely get in touch with the Martin Nowak!

It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now.

On Monday, 15 August 2016 at 19:58:14 UTC, Brad Anderson wrote:
> On Monday, 15 August 2016 at 18:52:03 UTC, Basile B. wrote:
>> On Monday, 15 August 2016 at 17:05:32 UTC, Brad Anderson wrote:
>>> With all of the issues people are having with Windows [...]
>>> There is already an issue created for this here: https://issues.dlang.org/show_bug.cgi?id=16065
>>
>> Do you think that a certificate prevents an antivirus to scan an executable ? I'm laughing out of loud here.
>
> No. Of course not.
>
> To quote Microsoft: "Signing your program’s files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases this can result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers."
>
> At work we added class 3 code signing and it helped quite a bit with McAfee's warnings about our software for end users. In that case it was warnings about new releases of our software that hadn't had many installs yet.
>
> Microsoft isn't selling certificates (though it'd be nice if they offered them like Apple does although with Apple you have to get a DUNS number which I'm sure you consider a scam as well).
>
> Please share your suggestions for how to help with the false positive issue (or just continue laughing in ignorance based on an assumption of something I never said).

If the origin of the problem is NSIS then in a first time it would be worth trying InnoSetup or also a MSI installer.

On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote:
> It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now.

Sorry for my harsh words, but Brad had an idea (and even offered his _personal_ money) & you immediately replied:

> I'm laughing out of loud here.
> Mmmh I discredite myself, I meant rolling on floor laughing...

A fruitful discussion is often based on offering good alternative proposals ;-)

On Monday, 15 August 2016 at 20:43:59 UTC, Basile B. wrote:

> It's not trolling (unless you define trolling as "everything that goes againt my position"), I just exposed my arguments. I'm afraid to see people overreacting in front of a minor and temporary problem. It seems that 3 or 4 posts are considered enough to act but you (the "pro-certificate-ppl") do not try to see why 3 or 4 posts could be "not enough"), i.e you are biased. You are about to act just because of what's happening right now.

Is there some threshold for a bug report to be considered actionable? Aside from that, given that a small percentage of D users actually post in the forums, four posts on the same issue is something that ought to be taken as a problem. There's no way to know how many have encountered it and just decided to go elsewhere. It's not about being "pro-certificate", but about solving a problem that's potentially damaging to the perception of D.