3

Upgraded Telerik in my ClickOnce application to version 2014.3.1202.40. (Never sure of the best way to do this. After the install, all my references to Telerik controls was broken and I had to remove all Telerik references in each of the projects and re-add them. So, I may be upgrading in the wrong way. But that's another matter.)

I deploy my app to a staging folder on my web server before moving to production. The app is signed with a commercial code signing certificate from Comodo that doesn't expire until 2019. I've uploaded new versions many times with no problem. But now, since I upgraded the Telerik controls, I can't download the and install the application. Here's what happens:

  1. In Chrome, I enter the url: http://porpoiseanalytics.com/PorpoiseStaging/setup.exe
  2. I get the "Not commonly downloaded" warning where I never got that before. I don't get any error on Firefox nor on IE.
  3. If I tell Chrome to keep the file, I can start it. The installation starts on all the other browsers too.
  4. About 3/4 of the way through the download of the files, Avast blocks it with DRep virus (I'm guessing lack of reputation). If I turn off Avast, it installs fine. ClickOnce install log shows an error: "Exception occurred loading manifest from file [application].exe: the manifest may not be valid or the file could not be opened."

Why is my application suddenly acting like it has no reputation when it's been downloaded for months with no problems. But, after I modify the application in VS2010 and then remove and re-add the Telerik dll's, I suddenly have no reputation. And what makes matters worse, is that now my production download located at ttp://porpoiseanalytics.com/PorpoiseDownload/setup.exe is suddenly acting the same way.

I admit I don't have a good enough understanding of reputation, signing, and clickonce. But I do know that whereas before we were fine, after deploying the application, we're flagged as malicious software. I made a few code changes in the program (not many), but I also replaced the Telerik dlls. Probably has something to do with signing and publishing, but I can't figure it out. Please help. Thanks.

Dan G.
  • 529
  • 8
  • 21
  • Just to clarify, I've gone through many staging upgrade to production cycles for multiple versions and have never lost reputation. Seems to do with removing and re-adding dlls? That's my guess. But I need to know how to fix this, if possible so our uses don't suddenly see malicious downlod warnings and have to turn off their virus software to install it. Thx. – Dan G. Jan 27 '15 at 00:45
  • Install log shows an error: "Exception occurred loading manifest from file [application].exe: the manifest may not be valid or the file could not be opened." – Dan G. Jan 27 '15 at 13:14
  • Found a similar problem at http://stackoverflow.com/questions/9512919/getting-around-chromes-malicious-file-warning#answer-9727960 that covers the Chrome warning. I've signed up for Google Webmaster Tools and will wait for it crawl our site and see the results. – Dan G. Jan 27 '15 at 13:38
  • As it turned out, the Telerik upgrade had nothing to do with this. See the answer below for my take on it: Exe was not code signed. – Dan G. Jan 27 '15 at 23:17

2 Answers2

3

I think I figured it out. Although I had signed the manifest in the main UI project (the installer), the executable was not signed. With some help, learned how to do that:

  1. Download the Windows 7 SDK with signtool.
  2. In Visual Studio, open project properties in the main UI project.
  3. Open the Compile tab and click on the Build Events button.

  4. In the post-build events, enter:

    "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "$(ProjectDir)[name of code cert file]" /p "[password]" /t http://timestamp.comodoca.com/authenticode "$(ProjectDir)obj\$(ConfigurationName)\[exe name].exe

    where [name of cert file] is the name of the code-signing cert file, such as private_key.pfk, and [password] is the password used when exporting the certificate (if % is included in the password escape it with %%, so pass%word would be entered as pass%%word), and [exe name] is the name of your primary project executable.

In other projects within solution, sign those by inserting a similar command line in the same post-build location:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "$(ProjectDir)DAD_Code_Certificate.pfx" /p "<password>" /t http://timestamp.comodoca.com/authenticode "$(TargetPath)

Orignal Problem

My theory is that the original problem was caused because of a new feature in Avast 2015 that does a DomainRep (reputation?) check and if several criteria are all met, the alarm bells go off and it stops the download. Because my executable was not signed, it met all the requirements.

It is possible (although I really am not sure about this) that because of this DRep alarm, Google flagged the installer on our website as malicious, causing the red "not normally downloaded" warning when first starting the download.

At least, that's my best guess. Others will most certainly understand this better than me (and would have avoided it in the first place by signing the executable).

Dan G.
  • 529
  • 8
  • 21
1

Official answer from Google Apps technical support (I'm on the Silver support plan - $150/month):

I replicated the issue you are describing and it looks to be a known issue with Google Chrome, when trying to download an archive that has an executable in it.

Please be advised that Google Chrome is outside the support scope of Google Cloud, however the workaround is rather simple: when that message appears you can click on the arrow to the right of that message and chose "keep". This will download the file requested.

Katerina Topalova
  • 26
  • 1