Upgraded Telerik in my ClickOnce application to version 2014.3.1202.40. (Never sure of the best way to do this. After the install, all my references to Telerik controls was broken and I had to remove all Telerik references in each of the projects and re-add them. So, I may be upgrading in the wrong way. But that's another matter.)
I deploy my app to a staging folder on my web server before moving to production. The app is signed with a commercial code signing certificate from Comodo that doesn't expire until 2019. I've uploaded new versions many times with no problem. But now, since I upgraded the Telerik controls, I can't download the and install the application. Here's what happens:
In Chrome, I enter the url: http://porpoiseanalytics.com/PorpoiseStaging/setup.exe
I get the "Not commonly downloaded" warning where I never got that before. I don't get any error on Firefox nor on IE.
If I tell Chrome to keep the file, I can start it. The installation starts on all the other browsers too.
About 3/4 of the way through the download of the files, Avast blocks it with DRep virus (I'm guessing lack of reputation). If I turn off Avast, it installs fine. ClickOnce install log shows an error: "Exception occurred loading manifest from file [application].exe: the manifest may not be valid or the file could not be opened."
Why is my application suddenly acting like it has no reputation when it's been downloaded for months with no problems. But, after I modify the application in VS2010 and then remove and re-add the Telerik dll's, I suddenly have no reputation. And what makes matters worse, is that now my production download located at ttp://porpoiseanalytics.com/PorpoiseDownload/setup.exe is suddenly acting the same way.
I admit I don't have a good enough understanding of reputation, signing, and clickonce. But I do know that whereas before we were fine, after deploying the application, we're flagged as malicious software. I made a few code changes in the program (not many), but I also replaced the Telerik dlls. Probably has something to do with signing and publishing, but I can't figure it out. Please help. Thanks.
I think I figured it out. Although I had signed the manifest in the main UI project (the installer), the executable was not signed. With some help, learned how to do that:
Download the Windows 7 SDK with signtool.
In Visual Studio, open project properties in the main UI project.
Open the Compile tab and click on the Build Events button.
In the post-build events, enter:
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "$(ProjectDir)[name of code cert file]" /p "[password]" /t http://timestamp.comodoca.com/authenticode "$(ProjectDir)obj\$(ConfigurationName)\[exe name].exe
where [name of cert file] is the name of the code-signing cert file, such as private_key.pfk, and [password] is the password used when exporting the certificate (if % is included in the password escape it with %%, so pass%word would be entered as pass%%word), and [exe name] is the name of your primary project executable.
In other projects within solution, sign those by inserting a similar command line in the same post-build location:
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "$(ProjectDir)DAD_Code_Certificate.pfx" /p "<password>" /t http://timestamp.comodoca.com/authenticode "$(TargetPath)
Orignal Problem
My theory is that the original problem was caused because of a new feature in Avast 2015 that does a DomainRep (reputation?) check and if several criteria are all met, the alarm bells go off and it stops the download. Because my executable was not signed, it met all the requirements.
It is possible (although I really am not sure about this) that because of this DRep alarm, Google flagged the installer on our website as malicious, causing the red "not normally downloaded" warning when first starting the download.
At least, that's my best guess. Others will most certainly understand this better than me (and would have avoided it in the first place by signing the executable).
Official answer from Google Apps technical support (I'm on the Silver support plan - $150/month):
I replicated the issue you are describing and it looks to be a known
issue with Google Chrome, when trying to download an archive that has
an executable in it.
Please be advised that Google Chrome is outside the support scope of
Google Cloud, however the workaround is rather simple: when that
message appears you can click on the arrow to the right of that
message and chose "keep". This will download the file requested.
Related
My company distributes a Chrome extension along with our Windows apps. I have read the Google guidelines on doing so, here, and see that the recommended method of doing so is to publish the extension in the Chrome Web Store, which we have done. Then, during installation, we should place a key in the Windows registry, which will direct Chrome to download the extension from the store the next time it starts up. This all makes sense, and we are planning to use this method.
However, I am told by some of our developers that they are worried about certain scenarios (specifically in countries where access to Google servers may be blocked) where it may not be possible to install the extension this way. Therefore, they have proposed both using this method, and including the .crx file in our installation package. My question is: Will this cause any issues? For users with a normal connection to Google's servers, will they be able to receive the extension as normal?
Will this cause any issues?
As long as "it's useless, because it can't be installed" isn't an issue, then no, no issues including it. /sarcasm
You cannot install CRX files from third-party sources, even manually (and not at all automatically), with the possible exception of enterprise deployment via domain policies.
The only way to install a non-Store extension is as unpacked. This requires manually switching on the Developer mode, selecting the folder, and enduring the scary warning on every Chrome launch.
I'm afraid you'll need to consider excluding such scenarios from your potential market.
How to local install ALL Chrome CRX without any problem:
Chrome saves ALL information in %LocalAppData%\Google.
Install Chrome
Install Chrome .CRX you are needing
Back up %LocalAppData%\Google
Create WinRar to unpack saved profile to: %LocalAppData%
This bypasses the mandatory Chrome store installation.
What are the downsides of this method?
Using this method could overwrite existing user profile data/bookmarks.
Overwriting user saved bookmarks/passwords may cause data loss for user.
What is a possible workaround?
Firefox can use alternate profile, if set to do so via txt in user profile.
If Chrome profile can load alternate profile, locate the string/text responsible for this & edit it to use the new user profile path, then create a WinRar SFX to install to this new location.
This will then enable Chrome SFX installer (Via WinRar SFX) to install a chrome profile with the .CRX extensions desired already installed & not have to mess with pre-existing user data.
What are the downsides to this method?
Users may wonder how to get their old bookmarks/settings to work.
While users will get the new .CRX, it will be starting with essentially a blank profile.
How you can help:
We know we can install any unpacked CRX via SFX install.
We know we can potentially cause Chrome to use alternate profile to avoid corrupting or messing with user data.
We need someone with an idea how to install unpacked CRX without causing a problem in the old user profile.
Things tried so far:
Tried to locate the file(s) responsible for saving installed .CRX settings.
(Make unpacked CRX load & work properly)
Discovered a key file that contained bookmarks/user data also was the same one responsible for ID the CRX & making it load.
This presented a problem, because how is it possible to import this key file in a WinRar SFX installer, without also overwriting the user bookmarks/saved data?
If anyone can figure this part out, we can then use WinRar SFX to unpack CRX into Chrome profile directory, without overwriting/destroying user data.
Alternate method may be to re-route Chrome to use new profile with desired .CRX files already loaded, then cmd-line import the old profile settings/bookmarks/saved passwords.
If this is possible...
Congrats to all who are seeking solutions!
Working together, we can succeed!
I was using a Chrome shortcut with allow-file-access-from-files in the target to work on my three.js student project files. But sometime this morning this stopped working and it appeared Chrome had been updated. I redid the shortcut but no joy.
Part of the project I'm doing is building three.js animation that works in a common browser (for which I chose Chrome).
Is there any way to get Chrome to allow file access again?
Thanks.
The answer I came up with was to use Firefox instead of Chrome changing the security policy as detailed in https://github.com/mrdoob/three.js/wiki/How-to-run-things-locally
Not a perfect answer but with a deadline looming it's the best workable answer for me right now as trying different variations of Chrome, trying Wamp and also Mongoose didn't work. If I had more time I would work out how to use Python or probably node.js as I've seen it mentioned a number of times as being the faster option.
What gman stated is true, using the Chrome flag (and changing Firefox's security policy) does create a big security risk. But only if you use that shortcut (and it's tabs etc.) for anything other than accessing your own local files. I've been scrupulous about not using it for the internet but don't use this method if you can't be strict with yourself.
Ideally I'd recommend beginning any project with node.js.
Gman's answer is good. If you're in windows environment, and use npm for package management the easiest is to install http-server globally:
npm install -g http-server
Then simply run http-server in any of your project directories:
Eg. d:\my_project> http-server
Starting up http-server, serving ./
Available on:
http:169.254.116.232:8080
http:192.168.88.1:8080
http:192.168.0.7:8080
http:127.0.0.1:8080
Hit CTRL-C to stop the server
Easy, and no security risk of accidentally leaving your browser open vulnerable.
DON'T USE THAT FLAG! You're opening yourself to having your online accounts being hacked and your local data stolen. Here are 2 proof of concept examples
Run a simple server.
It's super simple.
Here's one
Here's one.
Here's another.
And another.
They won't take more than a couple of minutes to download and require no configuration
I ran into a problem creating a new project in Cocos2d-x 3.1.1 (or 3.0 - it happens at both versions).
When I'm running the build script in console (Windows 8 - console with admin privileges) an WindowsError pops up (check the image below).
http://i.imgur.com/Ixg4jEE.png
I can set up the COCOS_CONSOLE_ROOT manually, but it does not help with the Error 5.
I tried setting the 777 priviligies an all cocos2d-x folder and subfolders, but it does not help.
Anybody had the same problem? Any solutions out there?
On Windows you should not put manually installed programs and tools under C:\Program... (english: C:\Program Files) because that's a folder where only apps with a proper installer should go. Otherwise you will keep having permission issues. Apps are not allowed to write to that folder or any of its subfolders.
Since cocos2d-x isn't an app, it can't redirect its output to the proper AppplicationData folder as is mandated by the operating system. Not being able to write or modify the program folder's contents (except during installation) is a security feature in Windows that you can't (or shouldn't) bypass.
To fix this simply extract cocos2d-x in a folder that both you and apps have full read/write permission. Normally this would be in your Documents folder, but Desktop would also work and probably just any folder on a drive that you created, for instance C:\cocos2d-x.
Due to this line:
_winreg.SetValueEx() ...
the actual problem looks like to be with registry access, rather than with file permissions.
Make sure you actually running console as an admin, by:
searching cmd in Windows search, or just creating a shortcut to it to desktop
right clicking to cmd.exe and choosing "Run as administrator"
Make sure you don't have registry access block in any way: like blocking in group policies, some "security optimization" software and viruses and antiviruses.
Make sure your python version is 2.x. Python 3.x is not supported.
Anyway, this 'setup.py' step is optional for using cocos2d-x and you can live without running it at all.
Currently, the only way to install a Chrome extension (while working in development) is to drag it from the desktop onto the browser and click "Add" on the popup window. I would prefer to make the whole process automatic. I currently build, package and sign my CRX programatically, but am stuck with the final manual step. Is this possible?
I tried creating my own URL from which to install the CRX (see here: After adding ExtensionInstallSources preference with my URL to Chrome Preferences, still won't allow installing ".crx" packaged app ) but this did not work.
I want this install to be permanent, not a temporary install that only lasts during the current run..
That's an old question, but you recently updated it, so..
There are no fully automated ways to do it besides Enterprise Policy, which only rarely applies. If that is not an option, you're out of luck. This was a security decision in 2014 by Chrome team, because malware that did that was rampant. Here's a latest post on this topic.
On a Windows machine, the Enterprise Policy force_install is the only no-confirmation one, but it requires a machine in a Windows Domain and admin rights in said domain to enable. I'm not 100% sure how it works on Linux/Mac, but here's a relevant FAQ.
There is a programmatic method of installing extensions, but it now only applies to extensions that are published in CWS (so that Google can pull the plug in case of abuse). It is described here, but will still require a manual approval from the user when the browser starts for the first time after this is added. That's how, for instance, various legitimate bundled extensions like Skype's Click-to-call are installed.
For unpacked extensions, you can run with the command line flag:
<path to chrome> --load-extension=<path to extension directory>
For installing a packaged extension in a .crx file, you can use the "external extensions" mechanism to automatically install from either an autoupdate url or a local path:
https://developer.chrome.com/extensions/external_extensions
Two things of note:
-Because this mechanism is intended mostly for distribution to end-users and not for testing, there is a confirmation dialog that allows the user to opt in to the install.
-We may eventually be deprecating the local path based installs in places where we're enforcing the "must be from the webstore" restriction, and only support the autoupdate url (which must be the webstore update url) approach.
I have just setup hudson and have begun playing around with it.
I have downloaded the email-ext.hpi into the the folder $HUDSON_HOME\plugins
I have restarted hudson post-step1 ( i am following this manual method as i am unable to use (for proxy setting reasons) the automatic way of installing plugins via the "Manage hudson" page.
I dont see any errors when hudson starts. In fact i see the line
INFO: Started all plugins
BUT:
When i start a project configuration page, I do not see the promised option "Editable Email Notification".
FYI:
1. I am able to setup and run few basic test builds and they run fine.
2. I am also able to configure and receive the default hudson emails for failures and subsequent successes.(This confirms the SMTP settings)
3. I was also aboe to setup the subversion tag hpi in the same way as detailed above and that works fine as well!
What am i missing? Thanks in advance for any help!
EXTRA INFO:
Hudson version - 1.379 running on Windows XP
OK - i figured out a workaround (although i still need to dig into why this is a problem). Recording here for anyone else tha tmay face this issue.
The plugin when copied into the $HUDSON_HOME\plugin was somehow not really being activeated/recognized. But when i copied it over also to C:\Documents and Settings\mylogin.hudson\plugins and restarted hudson service, voila! it worked.
If anyone knows why this might have occured, kindly record it here for reference. Thanks.
To install a plugin you should use the easy route. In Hudson, go to 'Manage Hudson' -> 'Manager Plugins' -> 'Advanced' (its a tab) and use the 'upload plugin' option.
Than follow the instructions. Usually you have to restart Hudson to actually get the plugin.
Way saver than messing around with the file system. In general the approach you had should have been correct, but there seems to be an issue with your $HUDSON_HOME. Have a look at the "Manage Hudson" -> "Configure System" page. What is the Hudson Home directory displayed on the top of the page? I don't know what Hudson does if it can't access the Home Directory? My assumption is here that Hudson runs as a service with a user account rather than the local system account and that you used a different account to copy the hpi file.
Install Maven Legacy and Maven3 plugins .