Windows help wanted - trying PJRC's new code signing cert

[PaulStoffregen]

If you're using Windows and have a moment to help, please download this freshly compiled Hello World program (it just prints "Hello World" if run from command line).

https://www.pjrc.com/tmp/hello2.exe

This EXE file supposed to be properly signed. But I had to completely rework how I sign EXE files, since they changed the rules for certs sometime in 2023. It used to be just a P12 file with both key and cert, but now the private key part is delivered on a Yubikey hardware token. I had to install a bunch of Yubikey and PKCS11 crypto stuff. Looks like I probably got it working, but I'm hoping you can be the judge of that....

This new cert doesn't have smartscreen reputation yet, so even if the signature is good your browser might object or the message might be something about the program not commonly downloaded.

If you right-click and look at properties, it should have a Digital Signatures tab that says the program is from PJRC.COM, LLC. The Details should show it has a signed timestamp of today (March 21) and the CA is SSL.com.

 

[PaulS]

Here you go. On Windows 10.
My Chrome browser downloaded it fine, hello2.exe runs fine from command line.

Paul

 

[WMXZ]

Edge on Windows11 Home,
Version 10.0.22631 Build 22631
AV: McAfee

Make sure you trust hello2.exe before you open it​

Microsoft Defender SmartScreen couldn't verify if this file is safe because it isn't commonly downloaded. Make sure you trust the file you're downloading or its source before you open it.
Name: hello2.exePublisher: US, Oregon, Sherwood, "PJRC.COM, LLC", "PJRC.COM, LLC"

Keep anyway.

execution shows: Hello World

digital signature: same as PaulS

 

[BriComp]

Windows10 Pro and whatever Explorer calls itself today.
BitDefender did not like it.
....and following Windows thought:-

 

[KurtE]

Norton complained about 3 times about not a common download, Are you sure...
But after that I was able to run it. Norton also scanned it and said nothing is wrong.

 

[defragster]

Got these notes downloading and trying to keep it ... then reported as SAFE ... then it was determined to be 'Virus detected'
Windows 11 - active AV is MSFT Defender - Windows Security ...
That was with EDGE - same end result in Brave browser
<edit> return to KEEP ANYWAY keeps detecting virus and removing

 

[defragster]

Turning this off allowed keeping download and running it:

<edit>
MalwareBytes scanned and found no issue.
But enabling the above had the EXE deleted as a virus.

 

[el_supremo]

Windows 10 Pro and Kaspersky Anti-virus. No problem with download and execution in Powershell.

Pete

 

[mjs513]

Downloaded and ran on windows 11 with Norton. Saw the same as @defragster - reported it safe to MS, then said keep anyway with no issues with Norton. Ran hello2.exe and ran fine - and saw the same signature as @PaulS

 

[defragster]

Have not seen download problems with 'false positives' in recent memory. And last TD updates have had no issue with any EXE changes for IDE 1 or IDE 2.

Tried download again and failed - the 'RULES" hadn't been updated for Virus.
Did Windows Update:

After that the download worked - so reporting as SAFE must have fed into a "RULES" database to accept.
Though still ID'd it as:

And had to select "...": 'Keep' and then 'Keep anyway' and then it survived to save and to run and also survived a 'Manual Scan' of the file by Defender.

 

[PaulStoffregen]

Posted an article on the website today with info about how the Windows EXE cross compile and signing works.

How to cross compile and sign Windows EXE on Linux with Yubikey token

www.pjrc.com

Hopefully it can help other people who want to cross compile and sign with the new way keys and certificates are issued... maybe even future me when PJRC's new cert expires in 2027.

 

[Nantonos]

 

[Nantonos]

 

[defragster]

@PaulStoffregen : Wondering if you made another test EXE - now that your NEW CERT has been tested and approved once - if it might be better accepted?

It would only work with the most recent Update to the Windows Defender Smartscreen 'database' - but it might have moved from 'Never seen untrusted' to 'Cert seen without issue' or better.

 

[PaulStoffregen]

Wondering if you made another test EXE - now that your NEW CERT has been tested and approved once - if it might be better accepted?

Sure, here's another test. Basically the same, but prints a slightly different hello message.

https://www.pjrc.com/tmp/hello3.exe

Based on what we saw 3 years ago with 1.54 beta #7, my guess is we've got a few beta versions to go before SmartScreen warms up to PJRC's new certificate.

 

[defragster]

That worked - just had to find and select "KEEP" two times.

>"C:\Users\TimLabs\Downloads\hello3.exe"
Hello Defragster

It was not deleted, and a manual scan with Defender did not find any issue.
And that was before manually checking for this update that came in:

After that it still required a double 'KEEP' at this point - but no issue with it being removed or not executing.
> That .695 is a big uptick from above .608 noted above.

A connected system seems to regularly update automatically as the list below shows on a connected machine:

 

[BriComp]

Still Getting this and all the keep stuff etc.

 

[KurtE]

Microsoft windows, complained twice as mentioned. Then Norton ran on it and said something like, scanned, ...

But I think there is a bug in it:

C:\Users\kurte\Downloads>hello3
Hello Defragster

As I am not Defragster

 

[el_supremo]

hello3 downloaded and executed with no problems, same as previous one.

 

[Nantonos]

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\chris\Downloads> .\hello3.exe
Hello Defragster

So it runs fine from a shell; double clicking it still gives the "Windows protected your PC" nonsense.

 

[defragster]

So it runs fine from a shell; double clicking it still gives the "Windows protected your PC" nonsense.

Does right click properties show it as BLOCKED - - not seen that here but downloads can get marked that way too and require flipping that switch to allow it to run.

 

[PaulStoffregen]

As I am not Defragster

How about this?

https://www.pjrc.com/tmp/hello4.exe

Maybe with more of these downloaded enough times, SmartScreen will take notice?

 

[defragster]

Hopefully it is CERT trust that will build with more exposure as it is NEW - even though PJRC NAME is common from prior.

Still needed Double Keep - with EXE name change it will still be inclined to show this as 'not commonly downloaded':

Until doing the Keep/Keep the download is sequestered by Edge:

And then from Explorer the file is still marked 'might be blocked':

Running from Explorer runs and exits of course - but from CMD window it runs fine -

C:\Users\xyz>"C:\Users\xyz\Downloads\hello4.exe"
Hello Kurt

Some prior copies are still marked Blocked - but will execute from CMD. No pop-up warning on double click execute - but the appearing CMD window exit before content is visible.

 

[BriComp]

As @defragster reported and BitDefender still complains vociferously!.

 

[KurtE]

Microsoft windows, complained twice as mentioned. Then Norton ran on it and said something like, scanned, ...

But I think there is a bug in it:

C:\Users\kurte\Downloads>hello3
Hello Defragster

As I am not Defragster

This latest one appears to work...

Got the two messages that Defragter mentioned and then:

And ran from terminal window and it worked