vim-win32-installer icon indicating copy to clipboard operation
vim-win32-installer copied to clipboard

Published 20 hours ago verified publisher icon vim

Winget Installer Blocked by Microsoft Defender SmartScreen

Open harkabeeparolus opened this issue 2 years ago • 3 comments

Steps to reproduce

  1. Use Windows 11.
  2. Type winget install vim.vim
Downloading https://github.com/vim/vim-win32-installer/releases/download/v9.0.1672/gvim_9.0.1672_x64.exe
  ██████████████████████████████  10.4 MB / 10.4 MB
Successfully verified installer hash
Starting package install...
The installer will request to run as administrator, expect a prompt.
Successfully installed

It says successful, but nothing happens. No prompts, no windows, nothing.

However, when I download the exe file (gvim_9.0.1672_x64.exe) and run it from the web browser or Windows file manager, I do get an error message -- the following popup, and the only option is a button that says "Don't run":

Windows protected your PC

Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

App:  gvim_9.0.1672_x64.exe 
Publisher:  Unknown publisher 

[Don’t run]

So winget fails because the executable is blocked.

Expected behaviour

I expected the installer to run.

  • The unsigned installers keep being blocked by Microsoft Defender SmartScreen.
  • All the signed installers seem to work normally.

For this reason, I suspect that the published winget package should use a signed installer, to avoid being blocked by Windows.

Version of Vim

9.0.1672

Environment

Windows version: Windows 11, 22H2 (OS Build 22621.1992)

Installer package: gvim_9.0.1672_x64.exe

harkabeeparolus avatar Aug 02 '23 14:08 harkabeeparolus

For this reason, I suspect that the published winget package should use a signed installer, to avoid being blocked by Windows.

yes, that would be nice, but that is still a half-manual step, so not easily possibly at the moment. There is nothing we can do here to convince Defender to run the installer unfortunately.

chrisbra avatar Aug 08 '23 20:08 chrisbra

To be clear, the signed installers work perfectly.

If it were possible to automate the winget YAML pipeline to only update whenever the latest signed installer is available, it would always work even if the signing is half manual.

harkabeeparolus avatar Aug 16 '23 10:08 harkabeeparolus

As you use signpath, maybe you should try getting into this EAP https://github.com/SignPath/github-action-submit-signing-request

DRSchlaubi avatar Jun 07 '24 19:06 DRSchlaubi