Readme links to unsigned & unversioned Visual C++ Runtime File Download

Open MeikTranel opened this issue 1 year ago • 1 comments

Describe the bug While i was coping with #709 i saw that the file the freshly updated readme is linking to was being detected by Edge's SmartScreen. The linked file download does not have a version, publisher name and is not signed.

Expected behavior Microsoft Visual C++ Runtime downloads should probably be signed if propagated by security related products as a requirement.

Oct 10 '24 09:10 MeikTranel

Hi, @MeikTranel.

I don't see what you see. The README points to https://aka.ms/vs/17/release/vc_redist.x64.exe, which I obtained from https://learn.microsoft.com/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-microsoft-visual-c-redistributable-version

I used these steps to download and verify the file:

curl -L https://aka.ms/vs/17/release/vc_redist.x64.exe -o .\vc_redist.x64.exe
signtool verify /pa .\vc_redist.x64.exe

Here's the output of signtool verify:

File: .\vc_redist.x64.exe
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: .\vc_redist.x64.exe

If you have VS installed, signtool.exe should be available through a Developer Command Prompt.

Oct 14 '24 19:10 dtivel