31

I have an installer for my C# program, I uploaded it to my website, but whenever I try to download it in chrome or IE, I get "MY FILE* is not commonly downloaded and could be dangerous." You can only keep it if you click a tiny arrow and choose "Keep" from a menu. Only a tenth of less of users will be able to get my program. How could I work around this? I have heard about digital code signing, but at hundreds of dollars a year. This is really not an option for me. Would making an MSI installer or putting it on a software website help?

msbg
  • 4,852
  • 11
  • 44
  • 73
  • if you don't sign the program, you will keep getting this message. – Spudley Sep 01 '12 at 21:52
  • Here is how to get your link reviewed: https://support.google.com/webmasters/bin/answer.py?hl=en&answer=1249981 – Gavin Stevens Oct 30 '12 at 05:16
  • I tried the link above because my downloads are signed with a VALID authenticode from Comodo and every executable in the downloaded MSI installer is also signed with that cert. The trouble is this: The link above says that I have to go to my site's security review, which shows nothing. I have NO WAY to get this undone. Does anyone have a *working* alternative? – John Tamburo Nov 23 '15 at 21:49

6 Answers6

13

The best resources are this blog post and this blog post.

To sum up:

  1. Sign you package with an authenticode signature.
  2. Don't be malware (I'm sure you got that covered).
  3. Logo your software (if it's not a browser plug-in).

This can be a frustrating process, so hang in there. Microsoft has not disclosed how many downloads one needs to build a reputation, but in practice once you stop changing the package (the hash is part of the reputation) then you can get past this fairly quickly.

i_am_jorf
  • 53,608
  • 15
  • 131
  • 222
  • 4
    So basically all options require you to pay hundreds of dollars per year, which is not an option for free software. – riv Mar 23 '14 at 11:56
  • It is right around $100/year according to the first blog post. Doesn't seem like that much of a stretch. – i_am_jorf Mar 24 '14 at 03:31
  • 3
    Still, I'm not getting any money for publishing free software, why are they forcing me to pay to do that? Also, the few certificate resellers I checked were selling for $200-300/year. – riv Apr 20 '14 at 12:40
  • 7
    You have to prove who you are, and the people who do that need to get paid. I dunno man. It's the way it is. Try kickstarter or asking for donations. Or just don't give a crap and ship unsigned software. Or give people the source code and let them build it themselves. Or maybe do something else. – i_am_jorf Apr 20 '14 at 16:32
  • 4
    Signing the package doesn't seem to work. I just spent hundreds of dollars signing the package and I still get the warning in Chrome. The same file scans as 0% malware on virustotal.com. – NickG Jan 14 '16 at 15:41
  • How many people downloaded the package that you spent hundreds of dollars signing? First other people need to download it. – Damian Yerrick Feb 23 '17 at 19:52
  • Why isn't there a code signing counterpart to a self-signed or domain-validated TLS certificate? A self-signed or domain-validated TLS certificate would claim "the person who published program A is the same person who published program B, and program B is generally regarded as safe." – Damian Yerrick Feb 23 '17 at 19:54
  • 1
    Microsoft has archived the archived blog posts linked in this answer. I found one [here](https://learn.microsoft.com/en-us/archive/blogs/ie/smartscreen-application-reputation-building-reputation), but the other seems to have fallen out of favour completely. – Ken Rachynski Mar 13 '20 at 17:52
  • Microsoft has [deprecated logo certification](https://techcommunity.microsoft.com/t5/windows-hardware-certification/win32-logo-certification-deprecation/ba-p/364920) in favor of Desktop Bridge. – Edward Brey May 26 '20 at 21:12
  • I am facing problem any solution without signin certificate its cost much ? – Ahmad Jun 04 '21 at 10:09
3

I've fixed this by uploading the file to Google Drive (you can convert the Google Drive share link to a direct download link using some online converter).

Now my executable downloads without warning. Silly but it works.

Guest
  • 51
  • 1
1

I just had the problem (again) today

file is not commonly downloaded (keep/discart)

I made many tests including moving the zip on another server, re-compressing the zip file with another software, etc. I concluded that Google Chrome didn't like that zip file contained an .url shortcut file in it (a link to my site). I removed the .url from my zip and then it worked without the download error.

I had to change content inside ~5000 zip files on two sites, nice one Google.

BTW: the site is not listed as malware anywhere and files inside the zips are mostly .psd on one site and and .swf on another site, no exe or anything.

And previously when I had this problem it was because of some bad header(s) set when downloading the file.

adrianTNT
  • 3,671
  • 5
  • 29
  • 35
0

In fact, in my case helped much simpler solution. I've just moved the files onto Amazon S3 storage and the warning disappeared right away.

Consider trying this before buying the certs.

Edit: Not working anymore.

Wiseman
  • 1,059
  • 2
  • 13
  • 24
  • Let me make sure this is clear to everyone - if you want to host your own files on your own server/site that is a no-no and will get flagged. But if malware writers want to upload, for free, to S3 then that's ok? – Natalie Adams Dec 08 '14 at 00:29
  • No, Nathan, not exactly. If your own website is trusted enough you are free to use it. In case if your website is fairly new, you'd better use S3 or some other trusted mirror... or prove your "worthiness" by buying certs :) – Wiseman Dec 08 '14 at 08:01
  • 1
    I have several problems with this scheme - what are the criterion of being "trusted"? From what I've read there is no actual oversight - just whatever Google/Microsoft feels like. And with the hack of DigiNotar I would be cautious about blindly trusting certs. At the end of the day a malware writer doesn't need any of that - they can upload to S3 or a compromised site - which defeats this whole vetting process and only makes development more difficult for small guys like me (outside of the fact that the IE workarounds I already have to do...). – Natalie Adams Dec 08 '14 at 15:11
  • Well, nobody said, that it is easy to be a small developer. You gotta man up :) – Wiseman Dec 09 '14 at 07:50
  • Don't know how is it going for others but for me this "lifehack" stopped working sometime ago... – Wiseman Feb 26 '15 at 07:44
  • 3
    This doesn't do it anymore. – psp Feb 27 '15 at 04:45
0

Similar to Wiseman's suggestion. I had this problem with downloads on a new website I had created. I noticed that the same file downloads did not show the warning in Chrome when downloaded from my original website which has existed for years. So I simply linked my downloads on my new website to files I put on my old website's server. Even with newer files, they no longer showed the warning. I assume because my older website was established and considered "trusted" by google/chrome.

panofish
  • 7,578
  • 13
  • 55
  • 96
0

In my case I solved it with the following set of headers:

Cache-Control: max-age=864000
Content-type: application/octet-stream
Content-Disposition: attachment; filename="....zip"
Content-Transfer-Encoding: binary
Last-Modified: ...
Etag: ...
Content-Length: ...

Be extra observant of Content-Type, Cache-Control, Last-Modified and Etag which seemed to be the helpful headers for me.

tim
  • 2,530
  • 3
  • 26
  • 45