Windows 10 freaks out and claims this program is malware when downloading the 64bit version from the website. I got mirror.mit.edu if that matters. Edge uses smartscreen and doesn't even let you download it without jumping through extra hoops. Just thought I would let you know.
There is no problem with Windows10 in the box from Germany out. Do you still remember which KDE mirror server was displayed? Probably a KDE mirror server is on the blacklist? Maik
Oh, you write the mirror server. Maik
Yes, mirror.mit.edu is on the blacklist at Edge. Maik
Do yo u mean that windows installer has been corruptd by the hosting mirror service ? Did you check the MD5 sum provided ? This must be the same than one provided on non mirror KDE site. If no, go out immediately... Gilles Caulier
This come with which digiKam version exactly ? Gilles Caulier
I have not checked the digiKam binary, but it is enough to call mirrors.mit.edu/kde/ Maik
The MD5 sum files were not loaded on the KDE server. They exist only in our beta archive. Do you have for a test the MD5 for digiKam-5.9.0 Win64? But I can also test it against the main mirror server. Maik
Compute package checksums for digiKam 5.9.0 File : digiKam-5.9.0-01-MacOS-x86-64.pkg Size : 201M MD5 sum : 7779f6f4014c483c29e428d2bf85ead2 SHA1 sum : 93df90a6a585d6ff3b75d4db6949e1938c00cd21 SHA256 sum : d3b76fcabfbd281289702d2c3a1f6ab63cda3b8f45cc54e642fee329cb0f197c Compute package checksums for digiKam 5.9.0 File : digikam-5.9.0-01-i386.appimage Size : 380M MD5 sum : f39de8de15d14fec7838e66888dd7085 SHA1 sum : a3f31c3d004ce0f6699f6cd58722918f8b624085 SHA256 sum : f909d4cdc39b0433bb93a1ca6bdcc00403d6c92e39c84eeb885f89652e8cf923 Compute package checksums for digiKam 5.9.0 File : digiKam-5.9.0-01-Win32.exe Size : 272M MD5 sum : 4b123bb9855a0543e3790118cf5fad2b SHA1 sum : 4718065c2cbd675079331ad44c64dbf8aa4ee004 SHA256 sum : d5ee3d86274b528d16b348c2d09156ab3f6a3f63de064f6905ee4264dce5f5c9 Compute package checksums for digiKam 5.9.0 File : digiKam-5.9.0-01-Win64.exe Size : 276M MD5 sum : 706ce20426df67873714bb476a69751d SHA1 sum : 0d8567657742bbcab7d957014d3ebf87a84cc6b9 SHA256 sum : 54611d9cf28f2d252798331dee1b41f291a70a27c5216b8b9865600719fead1a Compute package checksums for digiKam 5.9.0 File : digikam-5.9.0-01-x86-64.appimage Size : 380M MD5 sum : eb7871ee7d6c99d264a9cadd69199a99 SHA1 sum : 5d7ca0fe4897497b906501fae7d5c3ad27920a7d SHA256 sum : da14b81304ca19eb148882f2b3d5bed5146de845f87f1baa2338b26e770d9d76 All official sums that i post to Phabricator when i published DK 5.9.0... Gilles
I have not checked all the files, but the MD5 sum for digiKam-5.9.0 Win64 is correct from mirror.mit.edu. Not only is the KDE sub-branch affected, Edge warns at all project directories on this server. Maik
Tested today, the server mirror.mit.edu is no longer on the blacklist. I close the bug now. Maik
Created attachment 123856 [details] Windows defender warning
I just downloaded digiKam-6.4.0-Win64.exe from "preferred mirror" at this page https://download.kde.org/stable/digikam/6.4.0/digiKam-6.4.0-Win64.exe.mirrorlist Running that file windows defender shows up. The first message reads: "Windows protected your PC Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk. More info" And to go on with install, you need to press the "More info" link, for the "Run anyway" button to appear. You may want to reopen this.
Windows Defender do not recognize digiKAm application. It's normal, it's not registered in Windows Store. In other words, M$ want that we pay to register an OpenSource application ? F... Other point, very important : digiKAm is fully cross compiled under Linux to generate the installer, the application, the dependencies, etc... There is no Windows stuff used in this process ==> No virus !!! So, again, I F... Windows defender ! Gilles Caulier
I now understand the problem with code signing certificates, and that it's a cost that open source software can not (and should not) handle. It has nothing to do with Windows Store (although its "windows apps" are more rigorously checked). Here is a good article about code signing certificates and Open Source, for the ones who find this and want to learn more: https://codedead.com/?p=2224 There is one specifically interesting thing in the article, that I think applies to this case: "If some magical number of people download an application, then Microsoft will reconsider the warning and stop it from showing". So I downloaded an OLDER version of DigiKam, and tried starting the installer exe now, and the Smartscreen did NOT show. So I guess in a few days or weeks this problem will be gone for version 6.4.0 as well. Regarding your thoughts about cross compilation as a guarantee for no virus: I can't see why a virus would need to be present at installer build time. The normal behaviour for a virus would be to attach itself to files at a later stage. The checksum would then change, and just as you have done before in this thread you would have to verify the checksum to be on the safe side. On Windows by using the Microsoft fciv command, for example: fciv.exe "C:\Users\[username]\Downloads\digiKam-6.4.0-Win64.exe" ... and compare the result with the one presented at DigiKam's site. I write this for other people who want to learn, as I just did. More about fciv can be found here: https://support.microsoft.com/en-us/help/841290/availability-and-description-of-the-file-checksum-integrity-verifier-u It seems you got very upset due to my entry, with all that (disguised) swearing. I'm sorry to see that. I just thought the SmartScreen could be intimidating for some users, and in this thread it did not say it was the expected behaviour, which it seems to be for new files from unsigned software. I thought there were free or OpenSource code signing ceritficates as well, but it doesn't seem to be the case any more. In one way the Smartscreen warning is a good thing, if it makes people be more careful with what they install. On the other hand a certificate does not guarantee that the software is good, just that someone has paid for a software signing certificate.