Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Winget Installer Blocked by Microsoft Defender SmartScreen #319

Open
harkabeeparolus opened this issue Aug 2, 2023 · 3 comments
Open

Winget Installer Blocked by Microsoft Defender SmartScreen #319

harkabeeparolus opened this issue Aug 2, 2023 · 3 comments
Labels
bug

Comments

@harkabeeparolus
Copy link

harkabeeparolus commented Aug 2, 2023
edited
Loading

Steps to reproduce

  1. Use Windows 11.
  2. Type winget install vim.vim
Downloading https://github.com/vim/vim-win32-installer/releases/download/v9.0.1672/gvim_9.0.1672_x64.exe
  ██████████████████████████████  10.4 MB / 10.4 MB
Successfully verified installer hash
Starting package install...
The installer will request to run as administrator, expect a prompt.
Successfully installed

It says successful, but nothing happens. No prompts, no windows, nothing.

However, when I download the exe file (gvim_9.0.1672_x64.exe) and run it from the web browser or Windows file manager, I do get an error message -- the following popup, and the only option is a button that says "Don't run":

Windows protected your PC

Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

App:  gvim_9.0.1672_x64.exe 
Publisher:  Unknown publisher 

[Don’t run]

So winget fails because the executable is blocked.

Expected behaviour

I expected the installer to run.

  • The unsigned installers keep being blocked by Microsoft Defender SmartScreen.
  • All the signed installers seem to work normally.

For this reason, I suspect that the published winget package should use a signed installer, to avoid being blocked by Windows.

Version of Vim

9.0.1672

Environment

Windows version: Windows 11, 22H2 (OS Build 22621.1992)

Installer package: gvim_9.0.1672_x64.exe
@chrisbra
Copy link
Member

chrisbra commented Aug 8, 2023

For this reason, I suspect that the published winget package should use a signed installer, to avoid being blocked by Windows.

yes, that would be nice, but that is still a half-manual step, so not easily possibly at the moment. There is nothing we can do here to convince Defender to run the installer unfortunately.

@harkabeeparolus
Copy link
Author

To be clear, the signed installers work perfectly.

If it were possible to automate the winget YAML pipeline to only update whenever the latest signed installer is available, it would always work even if the signing is half manual.

@DRSchlaubi
Copy link

As you use signpath, maybe you should try getting into this EAP https://github.com/SignPath/github-action-submit-signing-request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chrisbra @harkabeeparolus @DRSchlaubi