Inno Setup is Flagged as Trojan?
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
I've proposed a settings.config file (probably JSON, right? I haven't yet gotten to importing data from external files into a HISE app at runtime) where the developer could enter the company name and product name which would be used to set the default path and folder names in the installer itself.
Ok so as you may have seen at least two of us (Dave and me) have built this sort of thing, and my experience is:
- yes an exe tends to do better early on with the virus protection programs
- if you are looking to get past "the cartels" for the signing - then the exe (as Christoph pointed out) doesnt solved your problem
- your settings.config is too simplistic: there's a range of files that may need to be downloaded and installed in a range of places, fixing the Samples install and LinkFile set up is not the end of what will be required in a generic one-installer-for-all-apps installer. In fact an external settings.config file breaks your model immediately - as the user now needs to download the installer AND the config file...and make sure the config.file is in the correct location. I resolved this by using a config.js include file in the source code that uses the manifest I posted yesterday. Now its all in the installer, but your developer friends will need the source code and will need to edit it for their product.
- your massive re-startable zip download is too big, as pointed out here and elsewhere the File.extractZipFile() gets unreliable for zips over 2GB
- windows only is a bit pointless once you've gone to all this extra effort to then ignore it on the mac platform is a bit of a waste...and all the dmg/packages systems I've tried are "not great" at doing dynamic installs (i.e. where to put the samples).
The installer would then do its work on the Plugins.zip, just like the batch above (I haven't written anything for aax or dll but that's a given). It would also do its work on the Samples.zip.
So no pointing to the samples folder. That's why I'm asking about how to get the "current .exe directory" to save to a File object, so I can use that relative path to run .extractZipFile on the Samples.zip which is by default in the same folder as the setup.exe.
Again, this is Windows only, as macOS needs signing anyway and as such you can use the installers there.
So to be clear the next version of the stand-alone installer, its already added into the "install from inside the plugin" version, will work like this;
- user downloads the installer zip
- user unzips this and runs MyProductInstaller.exe
- The installer does what ever authentication and validation at this point if you want it
- User agrees to the EULA
- The installer downloads a number of archives(actually just zip files) to the users download folder
- The installer asks where the user wants to put the samples
- The installer goes through each archive, checks the internal manifest for where these need to be placed, and unzips them, and adds/modifies the LinkFile
- Installer cleans up the download folder(if the user wants)
Note: this does not overcome any certification issue you might have on windows, and it might not pass every virus scanning software in the world.
Feel free to adapt/change use this workflow if you like.
-
@Lindon said in Inno Setup is Flagged as Trojan?:
yes an exe tends to do better early on with the virus protection programs
if you are looking to get past "the cartels" for the signing - then the exe (as Christoph pointed out) doesnt solved your problem
your settings.config is too simplistic: there's a range of files that may need to be downloaded and installed in a range of places, fixing the Samples install and LinkFile set up is not the end of what will be required in a generic one-installer-for-all-apps installer. In fact an external settings.config file breaks your model immediately - as the user now needs to download the installer AND the config file...and make sure the config.file is in the correct location. I resolved this by using a config.js include file in the source code that uses the manifest I posted yesterday. Now its all in the installer, but your developer friends will need the source code and will need to edit it for their product.
your massive re-startable zip download is too big, as pointed out here and elsewhere the File.extractZipFile() gets unreliable for zips over 2GB
windows only is a bit pointless once you've gone to all this extra effort to then ignore it on the mac platform is a bit of a waste...and all the dmg/packages systems I've tried are "not great" at doing dynamic installs (i.e. where to put the samples).I wouldn't have any downloading from the plugin. The idea is to allow distribution of complete products in a single (or split up) zip. I doubt small devs will want to go through the trouble of setting all that up. You can then simply distribute it via the built-in order fulfillment on gumroad etc whatever.
I linked an example how a delivered zip looks like above, here it is: https://www.mediafire.com/file/gjds9ezo27ia323/HISE_Plugin.zip/file
It just doesn't extract anything because I can't point it to "the folder it resides in" in order to do any extraction, there's no constant for that in HISE, but the concept is there.
No worries about putting things in the right place, everything is in the right place from the start, you just unzip the thing manually (or the browser does it for you, like David pointed out).
If the settings file is a problem, the script can then be plugged into an existing project (just create a new .xml save within the project, it will simply read project data and use the correct company name, project name and version) and exported immediatelly. It's the same app, albeit with a different name and hash, so I don't know how much of a difference it'll make for smart screen.
@Lindon said in Inno Setup is Flagged as Trojan?:
File.extractZipFile() gets unreliable for zips over 2GB
This would just be for the Samples.zip included in the downloaded zip. I wrote a batch script that reads the Samples folder and keeps adding .chx files to a zip called Samples1.zip until it reaches 2GB, then moves onto Samples2.zip etc.
The installer would then simply find all the zip files containing the string
Samples
like you said and loop through them one by one.@Lindon said in Inno Setup is Flagged as Trojan?:
windows only is a bit pointless once you've gone to all this extra effort to then ignore it on the mac platform is a bit of a waste...and all the dmg/packages systems I've tried are "not great" at doing dynamic installs (i.e. where to put the samples).
That's a good point, if I'm signing on mac, might as well use the installer that I already have.
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
It just doesn't extract anything because I can't point it to "the folder it resides in" in order to do any extraction, there's no constant for that in HISE, but the concept is there.
If you really want to go ahead with this, I recommend bypassing HISE completely and write a little JUCE app for that. There's no point compiling a standalone app that renders audio and blocks the audio device just for extracting files and the task at hand is so borderline trivial that I can crank this out within 1-2 hours (as I said, I already did something remarkably similar and it was trivially easy to pull off). The resulting file size will also be much smaller (last time I checked a vanilla HISE app has 20MB while you can get down to 2-3 MB for a lean JUCE app.
You can literally call
File::getSpecialLocation(File::currentExecutable)
there plus other nice QOL things that might be possible to pull off within HISE but involves bending its feature set to be able to almost send emails. So here's my suggestion:- Keep developing the prototype within HISE but don't try for the 100% perfect UX (like hacking around to the get the current executable)
- Ideally gather feedback from other devs about features and generalization
- If that's done and the resulting prototype is considered useful, I'll get on board and rewrite the logic as a C++ JUCE app that I'll put into the HISE codebase for everyone to use. It still leaves the requirement of compiling and code signing the installer build but that should be possible somehow.
-
BTW, just downloaded your zip from media fire and it got blocked by Chrome as suspicious download here :)
-
@Christoph-Hart yeah, I tried as well, same thing. Maybe putting the password on the zip is the ultimate solution
I'm gonna give WiX and NSIS a try as well.
@Christoph-Hart said in Inno Setup is Flagged as Trojan?:
Keep developing the prototype within HISE but don't try for the 100% perfect UX (like hacking around to the get the current executable)
Ideally gather feedback from other devs about features and generalization
If that's done and the resulting prototype is considered useful, I'll get on board and rewrite the logic as a C++ JUCE app that I'll put into the HISE codebase for everyone to use. It still leaves the requirement of compiling and code signing the installer build but that should be possible somehow.The compiled HISE standalone already comes with a bunch of certs as seen in the VirusTotal scan
so I guess that's part of the reason why it's passing Smart Screen and virus scans.
Alright, there's sample location, vst3 location (is changing aax location a thing even?), au location on mac, what else? Where do audiofiles go if you have a bunch of them? It is always %appdata%/company/product ? User presets too, right?
-
@aaronventure said in Inno Setup is Flagged as Trojan?:
vst3 location
This shouldn't be changed by the user, Steinberg specify where it should go on the system.
AU location shouldn't be changed either.
@aaronventure said in Inno Setup is Flagged as Trojan?:
Where do audiofiles go if you have a bunch of them? It is always %appdata%/company/product ? User presets too, right?
Audio files go in the app data folder as a .dat file.
-
@d-healey said in Inno Setup is Flagged as Trojan?:
Audio files go in the app data folder as a .dat file.
er... not for me at least unless I'm doing something wrong..
they go in %AppData%/companyname/productName/AudioFiles
as do any hwt files,
Presets go here:
%AppData%/companyname/productName/UserPresets
Images go here:
%AppData%/companyname/productName/Imagesmeta data goes wherever the developer wants it to go...
the list goes on..
-
@Lindon I just put the .dat file directly in the app data folder.
As per the docs - https://docs.hise.audio/working-with-hise/settings/project.html#embed-audio-files
-
the list goes on..
Yeah but anything I can think of either goes into the samples folder or some subfolder of the app data folder, so you can just use a zip file with the correct folder hierarchy for the entire app data payload.
I think 99% of all cases can be covered by having three payloads:
- Plugins.zip which contains every plugin that is put to the default location (with an option to change it if appropriate, eg. VST2 on Windows)
- Samples.zip which use either the existing location (if the Linkfile already exists) or a default that can be picked by the developer. The first option is important for shipping updates / expansions.
- AppData.zip which contains any payload that should be put into the app data directory. AudioFiles.dat, Wavetable stuff, additional DLLs (currently there is none, but I remember that I had to ship the rLottie.dll for PercX). Even Expansions could be put there.
On macOS you can simply bundle all that up into a nice .dmg file (you can even hide the zip archives so the end user only sees the installer app which is about as nice as it can get. But on Windows you'll have a zip file that contains other zip files AND the installer which is a bit weird.
-
@Christoph-Hart oh and if we‘re at it: the sample payload can then be just an hr1 archive (this would be optional if your sample data is HLAC monoliths). This way you get automatic split archives and the compression is way better than ZIP.
-
@Christoph-Hart said in Inno Setup is Flagged as Trojan?:
@Christoph-Hart oh and if we‘re at it: the sample payload can then be just an hr1 archive (this would be optional if your sample data is HLAC monoliths). This way you get automatic split archives and the compression is way better than ZIP.
I thought the compression was in the ch1 files? Didnt you say that once? not in the HR1 files
-
@Lindon said in Inno Setup is Flagged as Trojan?:
I thought the compression was in the ch1 files?
Both. The HR1 format uses the FLAC format which yields a better compression ratio (about 30-40% more) so I chose that for the file distribution format where performance doesn't matter at all.
-
@Christoph-Hart There are some issues with exporting monoliths to HR1 that I kept running into so I gave up on that kind of deployment. I've narrowed it down to my sample map, but even after recreating it from scratch (re-importing all the samples and setting everything up) it's still happening. HISE freezes and needs to be terminated, and the result is only a temp.dat file with ~75% of the target size.
-
More findings on this recently:
I've discovered that using Inno Setup 6.0.3 results in the least number of false positives on VirusTotal, and most important of all, doesn't falsely trigger the Windows Defender.
Further, adding product name to the setup and creating a custom type [Types] in the script knocks that down to 3. Now, self-signing via openssl and signtool drops it down to 1, with the only report being the Crowdstrike Falcon saying it's greyware, and they a dedicated email for false positives on their website.
-
@aaronventure Can you share some instructions for self signing?
-
@aaronventure
Yes, instructions for self signing would be really great! :-) -
@d-healey https://github.com/jfmaes/LazySign
This uses the old makecert. It's a simple bat, you can tweak it indefinitely.
You'll be prompted to create a password for the temporary cert, then to point to the .exe .
You can alternatively use openssl to make a certificate which can stremline the process. Install openssl https://github.com/openssl/openssl from here.
I create my installers in the Deploy folder inside the project directory. I have a batch that creates the temporary cert with openssl for the given name (edit this in the batch script; I plan to eventually have it hook into user_info.xml and automatically pull the Company property value)
This batch will check all the subfolders inside the Deploy directory and sign them with the temporary certificate. It won't prompt for password nor for a target file. Simply drop it in your project root directory and make sure you have .exe files in \Deploy\ or wherever (change the bat to your liking).
Change the company name variable to whatever you want. Make sure you point it at signtool.exe as well. You can get it either from the SDK, but the LazySign repo contains the exe as well.
_sign_with_openssl and signtool.zip
The result is a signed binary with a non-verified signature. Some antivirus software seem to find that's enough. This won't prevent smartscreen (only a high enough score will; enough users going through with the execution anyway, as well as a submission to the Microsoft Defender https://www.microsoft.com/en-us/wdsi/filesubmission though I cannot confirm whether it completely eliminates it as triggering smart screen on all my testing computers in the first place is hit or miss. E.g. HISE installer from the Releases page triggers it on my laptop. The self-signed installer from Inno 6.0.3 signed this way doesn't.
Another way of doing it is signing with your domain using limelighter https://github.com/Tylous/Limelighter
This doesn't time stamp it but what's interesting is that when signed with limelighter, the HISE installer 3.6.2 doesn't trigger the smart screen on my laptop. Signing with a self-made cert from openssl and signtool (the method above) still triggers it.
But this also adds another false positive in VirusTotal
Bkav Pro - W32.AIDetectMalware
along with the greyware flag from Crowdstrike Falcon.
One of the values for my proposition of a universal installer (glorified unzipper) using HISE Standalone was that it would completely eliminate Smart Screen issues. If it's always the same exe with the same hash that everyone is distributing, then even if it triggers the smart screen in the first few dozen occurrences, it will eventually stop. Btw. I've never encountered a smart screen from any HISE Standalone app I tested, either mine or here from the forum, on any of my machines or VMs. So it looks like it's already "in there", maybe because they all have very similar architecture when compiled (?) and people have been using various HISE Standalone apps for a while now, no?
I'll continue work on it and post a better example soon.
-
@Christoph-Hart said in Inno Setup is Flagged as Trojan?:
Or don't give in to the code sign mafia and raw dog your installers to your customers like a real man!
:face_with_tears_of_joy: :face_with_tears_of_joy: :face_with_tears_of_joy:
-
Who cares about installers, I'm gonna zip this bad boy up, and let the customers figure out the rest.
-
@ThinkTank said in Inno Setup is Flagged as Trojan?:
Who cares about installers, I'm gonna zip this bad boy up, and let the customers figure out the rest.
Good luck :)