Windows Defender SmartScreen triggering on rustup-init.exe downloaded from the website

[pietroalbini]

Reported on Reddit. Quickly looking at the issue seems like the website makes you install the 32bit version instead of the 64bit one, and the 32bit one triggers Windows Defender.

cc @rust-lang/infra @ashleygwilliams

[mqudsi]

It's not an issue with 32-bit vs 64-bit, it just so happens that the two are flagged differently.

Windows SmartScreen is a pretty nice solution to code signing problems, basically it uses the tuple (code_signing_certificate?, hash_of_download) to determine whether a download is flagged. If the binary in question (as identified by the hash) has been downloaded/scanned without actual malware detected enough times, the warning goes away. If the binary is also signed, if other binaries signed with the same certificate have been downloaded/scanned many times the warning is not shown or goes away (this prevents new binaries by existing publishers from being flagged).

Now in this case, both the 32-bit and 64-bit installers are not signed (this sucks and needs to be corrected - certificates are cheap). But the 64-bit installer is more popular and has been run bypassing SmartScreen or with SmartScreen disabled without event enough times that Microsoft has learned to trust that binary.

rustup team can contact me via email to talk about asap band-aid if interested.

[pietroalbini]

Added this to the agenda for the next infra meeting.

[jethrogb]

Looks like there was some discussion in the infra meeting about signing for Windows, but I couldn't find a specific issue for signing.

@jseyfried can you share Windows binary signing best practices?

[aidanhs]

I'm going to close this in favour of the slightly older issue at rust-lang/rustup#1568. I've left a comment on that issue - in short, we're happy to explore code signing, it's just not something we have experience with or have prioritised so far. Help with understanding what's involved would be much appreciated!