All,

If you are a Chrome user, please help us to build reputation for our new
SHA-2 compliant SetupBuilder code-signing certificate.

We are using a new SHA-2 compliant code-signing certificate (valid until
08/2018) to code-sign all new SetupBuilder 10 files. To make sure that
SetupBuilder redistributables (e.g. wupdate.exe, wucheck.exe, etc.) and
system service files are trusted, we have to earn trust and build a
reputation for our new certificate.

Please download and run the following small tool on as many machines as
possible (see attached screenshots):
http://www.lindersoft.com/projects/sb10_reputation.exe

Internet Explorer or Microsoft Edge users, please see:
http://www.lindersoft.com/forums/showthread.php?46865

I guarantee, the above SetupBuilder generated application WILL NOT harm your
system. It just ask for elevation and displays a "Thank You" dialog.

Thank you for your help!

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

To demonstrate what happens when you compile the SAME project but code-sign
with the OLD certificate (already trusted by millions of downloads and
redistributable runs worldwide, valid until 08/2016).

Google Chrome immediately displays the 'RUN' option.

Friedrich

Is it getting on my nerves? Yes! But I am cool <g>

Thanks again for all your help!

Friedrich

I did get the warning with Chrome. I'll be at a different site in a couple
of hours and will download again there. (Guessing it doesn't do much good
to download from multiple VMs that are on a host with a single IP??)

jf

Thank you, Jane !!!

Friedrich

Hi Friedrich

I did this yesterday on Chrome and did not get the Discard warning from Chrome. So I
tried again today and did get the warning. But I guessed if Lee White now might trust
you, then I should too<g>.

Done.

JohnG

Hi John,

> I did this yesterday on Chrome and did not get the Discard warning from
> Chrome. So I tried again today and did get the warning. But I guessed
> if Lee White now might trust you, then I should too<g>.
>
> Done.

<g> Thanks for trusting me ;-)

Friedrich

Ran with Avant browser using IEcompatible engine, FireFox engine and Chrome
engine.
All accepted cleanly.
Stamos

Hi Stamos,

> Ran with Avant browser using IEcompatible engine, FireFox engine and
> Chrome engine.
> All accepted cleanly.

Perfect! Thank you for your help!!!

Friedrich

done with ff

Cikic Nenad

> done with ff

Thank you, Cikic !!!

Friedrich

> If you are a Chrome user, please help us to build reputation for our new
> SHA-2 compliant SetupBuilder code-signing certificate.
>
>

Chrome complained that it would be dangerous and wanted me to
discard it. Downloaded and ran it anyway and it ran ok.

Tony

> Chrome complained that it would be dangerous and wanted me to
> discard it. Downloaded and ran it anyway and it ran ok.

Thank you, Tony!!!

Friedrich

Hi Friedrich,

> If you are a Chrome user, please help us to build reputation for our new
> SHA-2 compliant SetupBuilder code-signing certificate.

Done on one computer, 4 to go<g>

Best regards,

--
Arnor Baldvinsson - Icetips Alta LLC

>
> Done on one computer, 4 to go<g>
>

Thank you, Arnor :-)

Friedrich

Just ran it on Chrome... said it was 'Dangerous'. I said keep it.. it
downloaded and I ran it and Kaboom!

Not really <g>

All is good. By the way, how long did it take you to write that program?
Looks like some intense programming. :)

Ray

Hi Friedrich,

> Done on one computer, 4 to go<g>

I've done this in Chrome on 3 machines in two locations. All showed the
"stop" icon with "This file is not frequently downloaded..." or
something like that with the default option being to discard it.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> I've done this in Chrome on 3 machines in two locations. All showed
> the "stop" icon with "This file is not frequently downloaded..." or
> something like that with the default option being to discard it.

Clicked your download link again on my dev computer and get:



Chrome is my default browser. I have "Kept" this file 4 times now on
this machine (this was the 4th time), still get the "Discard" button as
default.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> Clicked your download link again on my dev computer and get:
>



Hope it shows up this time;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

AKA "You gonna die!"<g>

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

Hi Arnor,

Yes, the new certificate is still not "reputable" enough for stupid Google
Chrome. And it's amazing to see (from the server log) how few are using
Chrome. We need more downloads to earn Chrome trust.

See attached screenshots. The same application signed with the NEW and the
OLD certificate. The one signed with the old certificate (downloaded only
14 times) is not flagged as dangerous. The exe signed with the new
certificate (downloaded by 311 users) is dangerous. Remember: it's the SAME
application, only the certificate is different.

This is killing me <g>.

Friedrich

> AKA "You gonna die!"<g>

Yeah, this scares the heck out of my customers... and who knows about
the folks that want to download the demo... all the more reason we call
them on the phone. Of course 25% of the people don't leave a phone
number, so they're just gone.

And who the heck does Chrome thing they are? Google or something!

Oops.. oh forgive me the great Google in the sky.

--
Ray Rippey
VMT Software

and for ff?

Cikic Nenad

Hi Cikic,

>
> and for ff?
>

Very good question. Does FireFox also have a reputation engine? Could you
please try it in FF?

Thank you so much!!

Friedrich

That was interesting!

I have Firefox V38.01 and Avira Anti-virus V15. I downloaded the exe
and then clicked on it in the ff download window to start it.

Firefox said it wanted to analyze it. (or at least I think it was
firefox.) I said yes and it made a log file.

Then Avira said it wanted to analyze it, I said yes. Then Avira wanted
to analyze the log file that ff was sending, I said yes. Then Avira
wanted to send it's data, I said yes.

Then the "Thank You" screen from your program came up, all ok.

It seems that your test was -very- interesting to the Firefox and
Avira people. But they didn't object to it. 8-)

HTH,

Carl Sumner

I ran it on a Win 7 computer with MS IE V8 and MS Security Essentials.
It asked if it was ok to run it. but that was all. It ran ok with
"Thank You" screen.

By the way, the other one with FireFox was also a Win7 system.

HTH,

Carl Sumner

> Please excuse the cross posting, but not everyone monitors the "3rd Party"
> or "SetupBuilder" Newsgroups.
>
> I need your help.
>
> If you are a Chrome user, please help us to build reputation for our new
> SHA-2 compliant SetupBuilder code-signing certificate.

A late reply but I downloaded it and ran it on all our machines (and in all
the VMs).

Always glad to help!


:-)

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------

> Please download and run the following small tool on as many machines as
> possible (see attached screenshots):
> http://www.lindersoft.com/projects/sb10_reputation.exe

Chrome, Win10, ESET Endpoint AV

Chrome just asked me if I'd like to discard or keep your .EXE file.
Works fine.

Marko

Now that is interesting. Checked our new certificate with Google Chrome
again and that VM had a temporary Internet connection problem. Chrome or
Windows displayed the SmartScreen window?!

So Chrome is also using Microsoft SmartScreen technology? If yes, why is
our new reputation fine in Internet Explorer and Microsoft Edge and still
"bad" in Chrome? Does not make any sense to me.

Friedrich

Hi Ray,

> Just ran it on Chrome... said it was 'Dangerous'. I said keep it.. it
> downloaded and I ran it and Kaboom!
>
> Not really <g>

<G> ;-)

> All is good. By the way, how long did it take you to write that program?
> Looks like some intense programming. :)

Very complex stuff... It took 30 seconds to write the reputation program
<g>. See attached source code screen. :-)

Friedrich

Thank you Carl, very interesting !!!

Look at this: I re-checked our new certificate reputation with Google Chrome
and the VM had a temporary Internet connection problem. Chrome or Windows
displayed the SmartScreen window?! So as far as I can see, Chrome is also
using Microsoft SmartScreen technology. But why is
our new reputation fine in Internet Explorer and Microsoft Edge and still
"bad" in Chrome? Does not make any sense to me.

Would be interesting to know if FF is also using SmartScreen.

Friedrich

> A late reply but I downloaded it and ran it on all our machines (and in
> all the VMs).
>
> Always glad to help!

Thank you, Charles !!! :-)

Friedrich

> Chrome, Win10, ESET Endpoint AV
>
> Chrome just asked me if I'd like to discard or keep your .EXE file. Works
> fine.

Thank you, Marko !!!

Friedrich

G'day Friedrich

>But why is
>our new reputation fine in Internet Explorer and Microsoft Edge and still
>"bad" in Chrome? Does not make any sense to me.

Ijust now tried Chrome again here and chased a rabbit down a hole!

I used the more info and got attached screen, then finally went to ...

https://support.google.com/webmasters/answer/3258249
Seems it is not just the Certificate they are looking at, but your site as a whole.
Mongrels!

Have you tried contacting them and requesting a "site review"? That might help.

Link is

https://support.google.com/webmasters/answer/168328?vid=1-635780909336057404-2390364089

HTH

John

Hi John,

> I just now tried Chrome again here and chased a rabbit down a hole!
>
> I used the more info and got attached screen, then finally went to ...
>
> https://support.google.com/webmasters/answer/3258249
> Seems it is not just the Certificate they are looking at, but your site as
> a whole.
> Mongrels!
>
> Have you tried contacting them and requesting a "site review"? That might
> help.
>
> Link is
>
> https://support.google.com/webmasters/answer/168328?vid=1-635780909336057404-2390364089

The problem is that our site is perfectly valid and no security issue
reported in Google Webmaster tools. It's definitely caused by the new
certificate. And it happens with ALL new certificates. So when you get
your new certificate, BANG. Good bye good old reputation.

Just for fun, please try the following link. Same application, same site
location, but code-signed with the old certificate:

http://www.lindersoft.com/projects/sb10_reputation_old.exe

What do you see when you try to execute the above executable? No warning
here on our machines.

Thank you!

Friedrich

Hi John,

See attached screenshot. No error reported in Google Webmaster Tools.

And when you download an application from our site (all still code-signed
with the old certificate), there is no problem:

http://www.lindersoft.com/products_setupbuilder_dev_download.htm

For example, the small (4MB) "SetupBuilder 2015 Developer Edition (Free
Trial without User's Guide)" installer image.

Friedrich

Hi friedrich,

Tested sucessfully with IE/FF/chrome and Edge when applicable for:
2 PC's win7 32 Bits With Kapersky SOS 3.x each
1 WinR2008R2 With Kapersky SOS 3.x
1 Win10 With MS Essential
1 win10 With Kapersky SOS 3.x

Only Chrome asked me if i wanted to keep or reject executable.

Cheers,

Cyrille Letellier D+

FYI - I just now downloaded to a new VM via Chrome and still got "You
gonna die!!"

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

But IE trusted you, as you would have already expected

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

>
> But IE trusted you, as you would have already expected
>

Thanks you for your help, Jeff. It is definitely caused by the reputation
of the new certificate.

The SAME project code-signed with the old (still valid until 08/2016) and
new (valid until 08/2018) gives different results in Chrome.

http://www.lindersoft.com/projects/sb10_reputation.exe

http://www.lindersoft.com/projects/sb10_reputation_old.exe

And the funny thing is, Chrome also makes use of the Windows SmartScreen
reputation engine. THIS IS KILLING ME...

Friedrich

Hi Jeff,

> But IE trusted you, as you would have already expected

For what it's worth, I get this in Chrome on files from time to time. I
don't recall what kind of files I have got this on, but I'm pretty sure
I have seen this on files that are not executable binaries. I just now
went to http://www.icetips.com/downloads.php?dl=PAR2 and downloaded some
old files without code signature and didn't get this on any of them.
Avast popped up a warning on one of them saying it was rarely
downloaded;) But Chrome downloaded all of them happy as ever.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

I'm guessing their "logic" is your website has been hacked and someone
else is sending out exe's with a different certificate?

--David

Hi Arnor,

Just for fun, I downloaded an old and NOT-SIGNED dummy application (dated
9/25/2009) with Google Chrome from the same website location.

On top of the "could be dangerous" warning, Google triggers the "Windows
Protected your PC (Unknown Publisher)" dialog. The code-signing status and
the reputation status of the certificate seems to be the most important
factor (for all security systems).

Friedrich

Hi David,

> I'm guessing their "logic" is your website has been hacked and someone
> else is sending out exe's with a different certificate?

I think it's all based on the reputation level of the (new) code-signing
certificate. What does NOT make any sense to me is that the reputation is
resetted when you get a new one (same company name, same vendor address,
same website, etc.) :-(

We already have "restored" the certificate reputation for Internet Explorer
and Microsoft Edge. Google Chrome is still a problem.

Friedrich

Hi Cyrille,

> Tested sucessfully with IE/FF/chrome and Edge when applicable for:
> 2 PC's win7 32 Bits With Kapersky SOS 3.x each
> 1 WinR2008R2 With Kapersky SOS 3.x
> 1 Win10 With MS Essential
> 1 win10 With Kapersky SOS 3.x
>
> Only Chrome asked me if i wanted to keep or reject executable.

Thank you !!!

Friedrich

Hi Friedrich,

> Just for fun, I downloaded an old and NOT-SIGNED dummy application (dated
> 9/25/2009) with Google Chrome from the same website location.
>
> On top of the "could be dangerous" warning, Google triggers the "Windows
> Protected your PC (Unknown Publisher)" dialog. The code-signing status and
> the reputation status of the certificate seems to be the most important
> factor (for all security systems).

FWIW I'm on Windows 7 and 8.1, but I should be on the latest build of
Chrome on all machines. The file(s) I downloaded were from the list of
files I very recently received from Steve Parker and uploaded to the
icetips.com domain, so those files have most likely never been
downloaded from Icetips before. None of them were code signed. I was
surprised that Chrome didn't barf at them. But we all know that Google
is infallible and their products are always bug free... ;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Arnor,

> FWIW I'm on Windows 7 and 8.1, but I should be on the latest build of
> Chrome on all machines. The file(s) I downloaded were from the list of
> files I very recently received from Steve Parker and uploaded to the
> icetips.com domain, so those files have most likely never been downloaded
> from Icetips before. None of them were code signed. I was surprised that
> Chrome didn't barf at them. But we all know that Google is infallible and
> their products are always bug free... ;)

If the files from Steve's site are executables; reputation for unsigned
software is based on fingerprints while reputation based on signed software
is based on the associated code signing certificate. Users downloaded the
files from Steve's site in the past and so they already "earned" trust.
Change one byte in that (unsigned) software, upload it and the reputation is
immediately reset to ZERO (similar to what happens with code-signing
certificates, but here after three years <g>).

Friedrich

Hi Friedrich,

> If the files from Steve's site are executables; reputation for
> unsigned software is based on fingerprints while reputation based on
> signed software is based on the associated code signing certificate.
> Users downloaded the files from Steve's site in the past and so they
> already "earned" trust. Change one byte in that (unsigned) software,
> upload it and the reputation is immediately reset to ZERO (similar to
> what happens with code-signing certificates, but here after three
> years <g>). Friedrich

You know you can't throw a challenge like that without me checking it
out;) So I downloaded the file (exe installer from 2004 - no code sign
in sight;) and used a hex editor to change a couple of bytes in it - one
text byte and one binary byte. Uploaded it again and tried to download
it with Chrome. It happily downloaded it, but Avast popped up a msg.
saying this file was rarely downloaded. So I deleted couple of rows of
bytes and uploaded. Chrome downloaded the file happily as ever.

So - Chrome didn't give a hoot if the file changed. Avast OTHO did. Weird!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

Did some further mutilation on that poor file: Chrome is still
oblivious - Avast is getting pissed at me though for downloading this junk;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> Did some further mutilation on that poor file: Chrome is still
> oblivious - Avast is getting pissed at me though for downloading this
> junk;)

Very interesting. This illustrates how trustable the Google Chrome
mechanism is <g>. We already have more than 550 downloads from Chrome users
and still have not a "good" reputation for our new certificate from Google.

If we can't earn more trust fast then we'll run into a support nightmare
next week when we make SetupBuilder 10 available (all files code-signed with
SHA1/SHA2).

Friedrich

Friedrich,

> What does NOT make any sense to me is that the reputation is
> resetted when you get a new one (same company name, same vendor address,
> same website, etc.) :-(

It's probably based on something other than that such as the serial
number or public key but then I have NO idea what I'm doing awake at
the moment so don't listen to ME!<g> Asleep at 5 AM, awake at 9 AM is
NOT enough sleep and here I am without any caffeine!!!

I ran it through every browser I have in all my VM's. But I don't use
Chrome so it wasn't of much help! I think I have an old Opera install
somewhere, wonder if that needs to be tested?!<g>

--
Lee White

RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com

Creative Reporting: http://www.CreativeReporting.com

Product Release & Update Notices
http://twitter.com/DeveloperPLUS

Windows 8 brings us "The Oval, Bumper Car, Roller Coaster of Wait!"
And, now, Windows 10 brings us "The Inch Worm, Bumper Car of Wait!"


The life of a Clarion Developer: https://youtu.be/ozitqabi6UM

Lee,

> It's probably based on something other than that such as the serial
> number or public key but then I have NO idea what I'm doing awake at
> the moment so don't listen to ME!<g> Asleep at 5 AM, awake at 9 AM is
> NOT enough sleep and here I am without any caffeine!!!
>
> I ran it through every browser I have in all my VM's. But I don't use
> Chrome so it wasn't of much help! I think I have an old Opera install
> somewhere, wonder if that needs to be tested?!<g>

<G> :-)

Friedrich

Hi Friedrich,

> Very interesting. This illustrates how trustable the Google Chrome
> mechanism is <g>.

Are you saying this is Chrome's fault? OMG!!!<bg>

> We already have more than 550 downloads from Chrome users and still
> have not a "good" reputation for our new certificate from Google. If
> we can't earn more trust fast then we'll run into a support nightmare
> next week when we make SetupBuilder 10 available (all files
> code-signed with SHA1/SHA2). Friedrich

Yeah, I don't know what it may take. When it comes to some google
things, I feel it's like chasing an invisible ghost in a cave while
blindfolded;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hello Friedrich,

Friday evening and Chrome is still trying to scare me.

just to let you know....

Regards,
Wolfgang Orth
www.odata.de

Hi Arnor,

>
> Are you saying this is Chrome's fault? OMG!!!<bg>
>

I would never say that <g>. Because I am sure it would reset my reputation
level <g>. Google is watching...

>> We already have more than 550 downloads from Chrome users and still have
>> not a "good" reputation for our new certificate from Google. If we can't
>> earn more trust fast then we'll run into a support nightmare next week
>> when we make SetupBuilder 10 available (all files code-signed with
>> SHA1/SHA2). Friedrich
>
> Yeah, I don't know what it may take. When it comes to some google things,
> I feel it's like chasing an invisible ghost in a cave while blindfolded;)

YEEEEEES :-)

Friedrich

I tried the sb10_reputation_old on Firefox here. The Avira Antivirus
requested to analyze it and send info home, but passed it, Firefox
didn't say anything, just let it through. Of course Windows asked
before running it, as usual.

The new certificate seems ok, I suspect Google is the one that is
wrong. Of course that doesn't help... 8-}

HTH,

Carl Sumner

> I tried the sb10_reputation_old on Firefox here. The Avira Antivirus
> requested to analyze it and send info home, but passed it, Firefox
> didn't say anything, just let it through. Of course Windows asked
> before running it, as usual.
>
> The new certificate seems ok, I suspect Google is the one that is
> wrong. Of course that doesn't help... 8-}

Thank you for your help, Carl :-)

I think Google needs more downloads to increase trust and credibility for
new certificates. Time will tell...

Friedrich

Hi Wolfgang,

> Friday evening and Chrome is still trying to scare me.
>
> just to let you know....

Thank you for your help. I think Google needs more downloads to increase
trust and credibility for new certificates. 571 downloads from Chrome users
and still not a "good" reputation for our new certificate from Google. Time
will tell...

Internet Explorer, Microsoft Edge and the Windows reputation engine already
work fine.

Friedrich

G'day Friedrich

I think I have SOLVED your dilema.

Thinking outside the box, I renamed your .exe from
sb10_reputation.exe to sb10_reputation_setup.exe

Then ftp'd it to one of my sites and it downloads _without_ the [DISCARD] warning from
Chrome.

Try it from here if you like using youtr Chrome.

http://www.genawise.com/download/sb10_reputation_setup.exe

I'll leave it there for a few days.

John

G'day Friedrich

Forgot to mention that I also tried your original file without the name change from my
site, and I did get the [Discard] warning in Chrome. So it looks like the
setup/install/update in the file name _may_ be the clue you are looking for.

John

Hi Friedrich,

> If you are a Chrome user, please help us to build reputation for our new
> SHA-2 compliant SetupBuilder code-signing certificate.

I think something else may be at play here. I just uploaded a test
build of BA to the BA website. It is code signed as SHA-2 with a new
comodo certificate. Nothing that has been signed with this certificate
has ever been up- or downloaded. The BA domain is on a new host and
this file has never been uploaded or downloaded before from anywhere.
Note that the install was build with SB 8.5 latest build (as of few days
ago) and I'm running this on Windows 8.1.

Chrome downloaded the BA install and was perfectly happy with it!
Downloaded your exe and it immediately threw the "Discard" option. I
have downloaded your file multiple times on multiple computers. This was
the first time I downloaded this BA file. I have downloaded it now on
two computers and no problems in Chrome.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich

Sorry for late response. I have been travelling back DownUnder.

With the Old cert, no warning from Chrome, simply saves to download folder.

I tried again the new cert download, and STILL am getting the [Discard] warning from
Chrome. I guess you need 1 million Chrome downloads before chrome trusts you again
:-(

John

> I have been travelling back DownUnder.

So were you "back of Bourke"? Always loved that expression during my
sojourns in the antipodes <g>

Simon Kemp

G'day Simon

No, I was in the Good Ol' USA for several months.
Too cold to survive down here in winter, gets down to around 10°C :-)

John

Hi John,

> Try it from here if you like using youtr Chrome.
>
> http://www.genawise.com/download/sb10_reputation_setup.exe

Unfortunately it also triggers the discard on my machine:(



This, however, does NOT happen on a test build of Build Automator, code
signed with SHA-2 certifiate on a file that has never been up- or
downloaded before.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

G'day Arnor

Well, that is strange.

Trying it again here and now it gives me the Discard warning. Crazy stuff.

John

Hi John,

> Well, that is strange.
>
> Trying it again here and now it gives me the Discard warning. Crazy stuff.

Yeah, that sums it up pretty well! I don't know what the heck is going
on. Perhaps others who are doing SHA-2 signing can check how Chrome
works with their files. I'm starting to think Google just doesn't like
Friedrich!<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi John,

Thanks so much for your time !!!

I see this when I try to download the file from your server (see attached
screenshot).

And idea?

Thanks,
Friedrich

Hi Arnor,

> Yeah, that sums it up pretty well! I don't know what the heck is going
> on. Perhaps others who are doing SHA-2 signing can check how Chrome works
> with their files. I'm starting to think Google just doesn't like
> Friedrich!<g>

Compiled and code-signed the same project with SHA-1, SHA-2 and dual
SHA-1/SHA-2 (new certificate) -- Chrome always gives the [DISCARD] warning.
I changed the executable name, download location, IP address, etc and it did
not make any difference. Then I code-signed with the old certificate (same
SB compiler) and Google is happy.

Friedrich

It worked for me. Still got the "discard" warning.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

> It worked for me. Still got the "discard" warning.

Same here...

Simon Kemp

Hi Friedrich

I think the problem is that you are probably trying from an IP range that is
verbotten. I will have a look at the .htaccess file for banned IPs. I recall banning a
few from your region when I was getting lots of download hits a few years ago, and the
region was not in our target audience.

That marketing situation no longer exists, so I will remove all the banned IPs today
and you can try again.

I will post back here once IPs are adjusted.

John

Hi Friedrich

OK, you can try again. I have removed the blocking of several IPs that might have been
from Germany.

http://www.genawise.com/download/sb10_reputation_setup.exe

If you still get the 403 error, post the first segment of your IP here and I'll make
sure it is not being blocked.

John

>I will post back here once IPs are adjusted.

Hi John,

Still getting Error 403 :-(

Friedrich

Hi Friedrich

OK, I have removed ALL ip blocking. Please try again at your leisure, but only after
SB10 is ready :-)

John

Hi John,

> OK, I have removed ALL ip blocking. Please try again at your leisure, but
> only after SB10 is ready :-)

<g>

See attached. Same warning :-(

Friedrich

Hi Arnor,

Can you create a "dummy" application with SetupBuilder and code-sign it with
your SHA-2 certificate and then upload it to your site? I would like to
download it via Google Chrome to see what happens.

Thanks!

Friedrich

Hi Friedrich,

> Can you create a "dummy" application with SetupBuilder and code-sign it with
> your SHA-2 certificate and then upload it to your site? I would like to
> download it via Google Chrome to see what happens.

I was going to compile one of my free tools for you, but I'm getting an
error 51, "File already code signed" even if I compile the Clarion app,
copy it to the destination and attempt to code sign it! So I'll need to
investigate what's going on and don't have the time right now.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Friedrich,

> I was going to compile one of my free tools for you, but I'm getting
> an error 51, "File already code signed" even if I compile the Clarion
> app, copy it to the destination and attempt to code sign it! So I'll
> need to investigate what's going on and don't have the time right now.

Ok, not sure what the problem was. It's an old C6 app and I had it set
to embed manifest, but I was also embedding a manifest in SB! So I
removed that and recompiled and now it's working! Whatever it was, it's
working;)

Try this:

http://www.icetips.com/betas/ITInc2Exp_Install_1.0.26.exe

Let me know how this works... Or doesn't<g> Now if you are going to
infect me with your bad Google JoJo, I'm going to get a wee bit ticked
off!<bg>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor and Friedrich

Well, Arnor's EXE downloaded just fine using Chrome. No [Discard] message.

A few observations:

In the Countersignatures section, Arnor's cert shows a countersign from "GlobalSign
TSA for Standard - G2"
Friedrich's shows countersign "GlobalSign TSA for Advanced - G2"

Apart from this,
1 - Friedrich's EXE has two digital certs, Sha1 and Sha256. Arnors only has sha256.
2 - Friedrich's EXE has two DIFFERENT countersignatures, Commodo on the sha1 cert and
GlobalSign on the sha256. This may be confusing Chrome.

JohnG

Hi John,

> Apart from this,
> 1 - Friedrich's EXE has two digital certs, Sha1 and Sha256. Arnors only has sha256.

Ok, that would be correct as I only have

#pragma CODESIGN_SHA = "2"

Not

#pragma CODESIGN_SHA = "12"

Didn't think of that... Hold one... Try this one:

http://www.icetips.com/betas/ITInc2Exp_Install_1.0.27.exe

This one has "12"

Best regards,

--

Arnor Baldvinsson
Icetips Alta LLC

Chrome thought it was fine here.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

So your signer was GlobalSign TSA for MS Authenticode - G2

and Friedrich's is COMODO Time Stamping Signer.

Could that be it?

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.

Grammar troll's, are the worse.

That would be my bet at this stage.

John Griffiths

Hi Arnor,

Yes, that one worked fine for me.

John

Hi Arnor,

Downloaded YOUR file and Chrome thought it was fine here.

Then I uploaded YOUR original file to MY website and BANG... See attached.
WTF???

All files with my OLD certificate are perfect, but Chrome does not like the
NEW one...

Friedrich

Hi Arnor,

Correction. I see this when I try to run YOUR install downloaded from YOUR
site (See attached). SmartScreen does not like your certificate in this
case.

Friedrich

I have opened a ticket with Chromium... What a nightmare :-(

Friedrich

I have downloaded :

http://www.genawise.com/download/sb10_reputation_setup.exe

Bad result in Crome.

Best regards

Edvard Korsbæk

Hi Jeff,

> So your signer was GlobalSign TSA for MS Authenticode - G2
>
> and Friedrich's is COMODO Time Stamping Signer.
>
> Could that be it?

Not a clue! I've had to pick a couple of the time stamping thingies as
some haven't worked. Whatever works, works for me;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

No warnings, no problems on my Chrome.

Andy Morgan

Hi Friedrich,

> Correction. I see this when I try to run YOUR install downloaded from YOUR
> site (See attached). SmartScreen does not like your certificate in this
> case.

Yeah, does here too:( I'm on 8.1 and it doesn't even give me an option
to run it! I have to go into downloads, RUN, jump through hoops and
then finally I get to this screen:



Wow!

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> Yeah, does here too:( I'm on 8.1 and it doesn't even give me an option
> to run it! I have to go into downloads, RUN, jump through hoops and
> then finally I get to this screen:

All this is a nightmare... :-(

Friedrich

Hi Friedrich,

> I have opened a ticket with Chromium... What a nightmare :-(

Indeed! This is one of the times when I'm heard mumbling: "I'm glad
I'm not Friedrich"<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

>> I have opened a ticket with Chromium... What a nightmare :-(
>
> Indeed! This is one of the times when I'm heard mumbling: "I'm glad I'm
> not Friedrich"<g>

<ROFL> :)

Friedrich

Hi Friedrich,

> All this is a nightmare... :-( Friedrich

As far as I can tell, this is just completely unpredictable, which makes
"fixing" it a complete stab in the dark. I think someone at Google left
a random() in there just for fun;)

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC