Microsoft SmartScreen-使用Inno Setup安装程序暂停了? [英] Microsoft SmartScreen - suspended using Inno Setup installer?
问题描述
我始终使用Inno Setup进行打包和发布。用户使用链接下载应用程序,例如:
如何解决此问题?
(仍不确定其标准代码签名与EV代码签名问题?我已经使用标准代码签名了几年,它一直都有效。我可以升级到EV代码签名,但是如何确定它不是Inno Setup编译器问题?如您所见,警告已显示在Inno Setup的上方URL中)
要验证是否是Inno Setup或代码签名问题(请参见 https://stackoverflow.com/a/29067585/285594 ),我已经完成了以下操作:
-
我已经从Microsoft下载了文件调用
winqual.exe,该文件不需要Inno安装程序。 -
我对
winqual.exe进行了签名并上传到了我的同一服务器上 -
我使用Internet Explorer下载了相同的文件,但没有向我显示SmartScreen。
如果Inno Setup是造成此问题的主要原因,现在是否有意义?
现在,您必须使用EV代码签名证书。
请参阅将Microsoft SmartScreen信誉转移到更新的证书。
下面是原始答案,它解决了问题的某些细节。
如果您认为问题是由于未签名的卸载程序引起的,请确保相应地设置了Inno Setup项目的 SignTool 指令。并确保 SignedUninstaller 指令的默认值为 yes 。
引用 SignTool 指令文档:
指定用于对安装程序进行数字签名的签名工具的名称和参数(,如果使用SignedUninstaller,则进行卸载设置为
是)。当安装程序具有有效的数字签名时,用户在启动它时将不会看到未识别程序警告。
如果要为卸载程序设置NXCOMPAT和DYNAMICBASE标志,则可以创建 sign.bat 批处理文件,它们都调用 signtool.exe 和 editbin.exe :
@echo off
editbin .exe / NXCOMPAT / DYNAMICBASE%1
signtool.exe标志...%1
调用必须按此顺序进行,否则 editbin.exe 会破坏签名。
然后使用 sign.bat 代替 SignTool 指令中的 signtool.exe
尽管我并不认为这是必要的,也无济于事。
I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call
winqual.exe, which does not need Inno Setup.I code signed the
winqual.exeand uploaded to my same serverI downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to
yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
@echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
这篇关于Microsoft SmartScreen-使用Inno Setup安装程序暂停了?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
