Kaspersky Endpoint Security 10 flags the DMD installer as malicious!

Radu void at null.pt
Thu Jul 26 07:34:21 UTC 2018


On Thursday, 26 July 2018 at 07:25:24 UTC, Seb wrote:
> On Wednesday, 25 July 2018 at 09:49:54 UTC, Radu wrote:
>> On Wednesday, 25 July 2018 at 08:31:05 UTC, rikki cattermole 
>> wrote:
>>> [...]
>>
>> It is a very simple thing to do. But the foundation hasn't 
>> bothered buying a code signing certificate, even though it is 
>> cheap.
>>
>> Would be nice to hear why they haven't done this yet, 
>> considering that just the recurring open collective donations 
>> could cover expenses like this.
>
> It's not about paying for the certificate, if that would be 
> all, we would have done this long ago!
>
> The problem is to integrate it in our release process and that 
> no one involved has much experience with Windows. It doesn't 
> make things easier that we run Windows via VirtualBox for the 
> release building and the snake oil industry requires a hardware 
> 2FA process when signing binaries with their certificate.
>
> Let me quote Martin (our release tzar) from one of the many 
> internal mails:
>
>>>>[...]
> I can figure this all out, it's again a small but 
> lower-priority issue cutting the line though.
>
> After my vacation I'm currently finalizing the highly-available 
> code.dlang.org migration.
> Next will be migrating ci.dlang.io to Buildkite, then beginning 
> the research for use-after-free/alias tracking.
>
> ---
> Would be great if someone with actual interest in this would 
> take care of it completely.
>
> Win binary builds to sign .exe and .dll:
> https://github.com/dlang/installer/blob/master/create_dmd_release/create_dmd_release.d#L267-L268
> Win installer build:
> https://github.com/dlang/installer/blob/e780ad79a1b2721f3c1a3c841bd46a4bd39b37dc/create_dmd_release/build_all.d#L313-L322
> Setup script for Win box in case we need to install tools:
> https://gist.github.com/MartinNowak/8270666
> ---
>
> <<<

It is important to have that certificate, as you can see from 
this 
https://forum.dlang.org/post/siugqkvkngnzdgqulaxo@forum.dlang.org 
signing the installer is not a big deal. `osslsigncode` runs on 
Linux so I think it should be fairly straight forward to add it 
as a step in the build script.
The example command from the link I gave is used in production 
somewhere and it works.

So, buy a certificate :)


More information about the Digitalmars-d mailing list