There are actually three "warning" dialogs that the user has to pass
through:
* the first one comes from Edge, as it flags the file as "unsecure
download" -- I suspect Edge is more careful about "new files" that it sees,
and displays the warning. If the user runs the file, Edge will send the
files hash to its servers, and if enough users download it, it will stop
displaying the warning, assuming it is safe.
* the second one is the "This file is downloaded from the internet"
warning, which is displayed for any file downloaded from the internet. The
warning is displayed for files which have an "Alternate Data Stream" and an
ADS is created on download. You can look at the alternate data streams
using the "dir /r" command. For racket it shows that it has a
"Zone.Identifier" alternate data stream:
dir /r racket-8.0-x86_64-win32-cs.exe
Volume in drive C is Windows
Directory of C:\Users\aharsanyi\Downloads
02/15/2021 01:24 PM 181,647,576 racket-8.0-x86_64-win32-cs.exe
159
racket-8.0-x86_64-win32-cs.exe:Zone.Identifier:$DATA
1 File(s) 181,647,576 bytes
0 Dir(s) 235,121,123,328 bytes free
The ADS can be opened as a file in notepad using:
"notepad.exe racket-8.0-x86_64-win32-cs.exe:Zone.Identifier", which for
Racket contains:
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://download.racket-lang.org/
HostUrl=https://mirror.racket-lang.org/installers/8.0/racket-8.0-x86_64-win32-cs.exe
There are tools to remove these alternate data streams, the ADS will be
created on download and the user has to either explicitly remove it or deal
with the warning dialog. ZoneID=3 means the file is from the "internet",
ZoneID=2 would mean that it comes from a list of "trusted sites" and
ZoneID=4 indicates that the file comes from sites that have been identified
as malicious. The zone comes from the Windows internet settings. Not sure
if it is affected by the file being signed with an EV certificate.
* the third dialog shows up when the application wants to install for all
users, this is the "this software wants to make changes to your
computer..." warning. The warning shows up for all software which
requests elevated privileges, but the header of the dialog is blue for
signed applications and yellow for unsigned ones (I assume it would be red
for software which is identified as bad, but I have never seen that). This
dialog does not show up if you try to install the application for the local
user only, but of course, in such a case, the application is only available
for the current user.
Alex.
On Monday, February 15, 2021 at 9:40:48 AM UTC+8 clements wrote:
> That’s an interesting point. One thing to keep in mind is that many of our
> users are installing DrRacket in educational settings, where the program is
> to be available to all users. Is it possible to install without admin
> privileges in a way that makes it available to all users?
>
> John
>
> > On Feb 14, 2021, at 1:37 AM, Dyllon Gagnier <dyllon...@gmail.com> wrote:
> >
> > Still seeing this as of the time of this writing. Edge Dev flags it
> immediately and other browsers download the file, but then the file is
> flagged when you try to run it.
> >
> > I filled out the Google Form and just wanted to update on this thread to
> let people know that this still seems to be an issue.
> >
> > As a workaround until this is fixed, maybe put a warning about it on the
> download page for Windows as well as the file hash in case people want to
> verify it.
> >
> > I tested out forcing the installer to run as non-admin via "cmd /min /C
> "set __COMPAT_LAYER=RUNASINVOKER && start "" racket-8.0-x86_64-win32-cs.exe"
> > and that resulted in no prompt being raised. Running it directly from
> cmd still raises the error. However, running directly from am admin cmd
> prompt also
> > launched the installer with no warnings. The issue seems to be caused by
> the fact that the installer immediately tries to elevate to admin.
> >
> > I think it may be possible to get the installer to work without admin as
> long as Racket installs outside of Program Files. I know some installers
> only
> > elevate to admin if the user requests to do a system wide install. I
> tested this out about a year ago and the Racket installer doesn't actually
> need admin permissions.
> > I verified this by using the RUNASINVOKER trick since this was on a work
> machine were I did not have admin permissions.
> > On Friday, February 12, 2021 at 1:12:06 AM UTC-8 dominik....@trustica.cz
> wrote:
> > On 11. 02. 21 0:14, 'John Clements' via Racket Developers wrote:
> > > Wow, that’s incredibly informative and helpful. Out of curiosity, do
> you have any ballpark idea what the number of downloads required for
> something to be listed as trusted is?
> >
> > I asked my colleague who was handling this back then and frankly the
> > answer is no.
> >
> > Dominik
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Racket Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to racket-dev+...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/racket-dev/eb7fffd8-554c-4aad-bb81-05271d0fa0c8n%40googlegroups.com
> .
>
>
--
You received this message because you are subscribed to the Google Groups
"Racket Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to racket-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/racket-dev/3127ebe2-b435-430d-9d6b-751b3c924dd3n%40googlegroups.com.
