Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make screenpipe not killed / deleted by windows defender ($150) #321

Open
louis030195 opened this issue Sep 13, 2024 · 30 comments · Fixed by #740
Open

make screenpipe not killed / deleted by windows defender ($150) #321

louis030195 opened this issue Sep 13, 2024 · 30 comments · Fixed by #740

Comments

@louis030195
Copy link
Collaborator

louis030195 commented Sep 13, 2024

/bounty 150

not sure why, check tauri discord they have some conversation about it, maybe need windows signing

https://tauri.app/v1/guides/distribution/sign-windows

Copy link

linear bot commented Sep 13, 2024

Copy link

algora-pbc bot commented Sep 13, 2024

💎 $150 bounty • Screenpi.pe

Steps to solve:

  1. Start working: Comment /attempt #321 with your implementation plan
  2. Submit work: Create a pull request including /claim #321 in the PR body to claim the bounty
  3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to mediar-ai/screenpipe!

Add a bountyShare on socials

Attempt Started (GMT+0) Solution
🟢 @Neptune650 Oct 8, 2024, 5:40:16 PM #740

@daveads
Copy link
Contributor

daveads commented Sep 15, 2024

@louis030195 Did some research a code signing certificate is actually required for this... And it isn't really free

https://federicoterzi.com/blog/automatic-codesigning-on-windows-using-github-actions/

@kerosina
Copy link
Contributor

@louis030195 Did some research a code signing certificate is actually required for this... And it isn't really free

https://federicoterzi.com/blog/automatic-codesigning-on-windows-using-github-actions/

Since this is an open source project, you can get signing for free
https://about.signpath.io/product/open-source
However, signed builds are built from the public repo and must be built through their CI.

@kerosina
Copy link
Contributor

if for some reason you don't qualify for SignPath's free signing and you only care about Windows Defender, you can submit the builds to Defender XDR with a description about the program. My program was incorrectly marked as malicious by Defender, and by submitting it there, explaining what the program did, I got defender to remove the false positive, so its worth a try.

@daveads
Copy link
Contributor

daveads commented Sep 15, 2024

@louis030195 Did some research a code signing certificate is actually required for this... And it isn't really free

https://federicoterzi.com/blog/automatic-codesigning-on-windows-using-github-actions/

Since this is an open source project, you can get signing for free https://about.signpath.io/product/open-source However, signed builds are built from the public repo and must be built through their CI.

cool

@kerosina
Copy link
Contributor

kerosina commented Oct 1, 2024

@louis030195 contact signpath here, as screenpipe seems fill the requirements for free signing https://about.signpath.io/product/open-source

@nerdynomadd
Copy link

Since the requirements to storing Private Keys for Code Signing Certificates were updated in June 2023, the new security practice (and requirement) is to store it on a hardware token secured for that purpose. As far as I know, it is no longer possible to purchase Code Signing Certificates and integrate them directly into the CI without using a Cloud solution.

As this project is backed by a company, it should be suitable to apply to a regular code signing certificate.

CodeSigningStore provides cheap code signing certificates, and an access to DigiCert One (https://www.digicert.com/digicert-one).
An alternative solution would be Azure Trusted Signin solution (https://azure.microsoft.com/en-us/products/trusted-signing), which is also cheap but on a based monthly payment.

If you decide to opt for one of these two solutions, I could write the CI part, as I already have the code to integrate these cloud services.

@louis030195
Copy link
Collaborator Author

i received an OSS certificate from signpath btw, if anyone wants to help, dont have the bandwidth to work on this

i can share the cert somehow i guess

@Neptune650
Copy link
Contributor

Neptune650 commented Oct 8, 2024

/attempt #321
@louis030195 I can do this as it's simple GitHub Actions work, I need you to send over the certificate (.cer) and the private key (.key) to [email protected] and by following the guide you've sent.

As for #435 it is being worked on, currently I'm working on fixing some issues regarding Rusty V8 build, because they don't provide pre-built binaries for Windows ARM64 - however this can make build time considerably longer, tell me your thoughts.

Algora profile Completed bounties Tech Active attempts Options
@Neptune650 1 bounty from 1 project
C++, C,
Python & more
Cancel attempt

@Neptune650
Copy link
Contributor

The goal here is to possibly merge both changes - adding both signing and Windows ARM64 builds - but we might need to do just one if build time is a concern, please tell me what you think.

@louis030195
Copy link
Collaborator Author

/attempt #321 @louis030195 I can do this as it's simple GitHub Actions work, I need you to send over the certificate (.cer) and the private key (.key) to [email protected] and by following the guide you've sent.

As for #435 it is being worked on, currently I'm working on fixing some issues regarding Rusty V8 build, because they don't provide pre-built binaries for Windows ARM64 - however this can make build time considerably longer, tell me your thoughts.

Algora profile Completed bounties Tech Active attempts Options
@Neptune650 1 bounty from 1 project
C++, C,
Python & more
Cancel attempt

will send you the cert

regarding the build, can i give custom runner, can pay if necessary, how much time would it take?

@Neptune650
Copy link
Contributor

will send you the cert

regarding the build, can i give custom runner, can pay if necessary, how much time would it take?

Using a custom runner would work, but firstly I'd like to try without one

Also it's possible that one build would take some hours, but after it's cached or stored in the custom runner, 30mins max.

@louis030195
Copy link
Collaborator Author

louis030195 commented Oct 9, 2024

@Neptune650
i invited you to my signpath org, let me know if you need anything else for this (signing windows build)

@Neptune650
Copy link
Contributor

@Neptune650 i invited you to my signpath org, let me know if you need anything else for this (signing windows build)

I can confirm I've got access, but one issue is that it says the release certificate isn't valid yet, not sure why is that, but we can use the test one for now.

And I wanted to ask if we should sign both the CLI and app or just the app.

@Neptune650
Copy link
Contributor

@Neptune650 i invited you to my signpath org, let me know if you need anything else for this (signing windows build)

I've done some research and I believe we might need to use another CA to sign with the release certificate instead of the test one.

@Neptune650
Copy link
Contributor

@louis030195 could you check this? also tell me what to sign
thanks.

@louis030195
Copy link
Collaborator Author

@Neptune650 when i do apple signing it signs all the files recursively i think:

APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}

https://v2.tauri.app/distribute/sign/windows/

just let me know what i need to do?

this issue becoming more priority now, increasing bounty

additional context: tauri-apps/tauri#2486

@louis030195 louis030195 changed the title make screenpipe not killed / deleted by windows defender ($100) make screenpipe not killed / deleted by windows defender ($150) Oct 16, 2024
@Neptune650
Copy link
Contributor

@Neptune650 when i do apple signing it signs all the files recursively i think:

APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}

https://v2.tauri.app/distribute/sign/windows/

just let me know what i need to do?

this issue becoming more priority now, increasing bounty

additional context: tauri-apps/tauri#2486

Thanks, then I'll sign files recursively too
Also, any idea why the release certificate doesn't work? I think SignPath might've not given you one properly. This is really important for actually signing the files.

@louis030195
Copy link
Collaborator Author

@Neptune650 when i do apple signing it signs all the files recursively i think:

APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}

https://v2.tauri.app/distribute/sign/windows/
just let me know what i need to do?
this issue becoming more priority now, increasing bounty
additional context: tauri-apps/tauri#2486

Thanks, then I'll sign files recursively too Also, any idea why the release certificate doesn't work? I think SignPath might've not given you one properly. This is really important for actually signing the files.

no idea

i will just pay for one that work, any recommended service? signpath seems to predate dinosaur age, isn't microsoft having a paid license like apple?

@Neptune650
Copy link
Contributor

i will just pay for one that work, any recommended service? signpath seems to predate dinosaur age, isn't microsoft having a paid license like apple?

One of the cheaper and most trusted ones out there is https://shop.globalsign.com/en/code-signing
Microsoft does provide one https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457 but it has the absurd requirement of a company with 3 years of business history.

@Neptune650
Copy link
Contributor

Neptune650 commented Oct 17, 2024

Also do note that we need an "EV" certificate to avoid the malware warning, not an "OV" one.
And for it being able to be automated with GitHub Actions, you need to pick "HSM Implementation" with "Azure" in GlobalSign.

@Neptune650
Copy link
Contributor

@louis030195 any update on this?

@louis030195
Copy link
Collaborator Author

@Neptune650

image

@Neptune650
Copy link
Contributor

@Neptune650

image

@louis030195 okay
Sending a pull request for the test signing

Copy link

algora-pbc bot commented Nov 22, 2024

💡 @Neptune650 submitted a pull request that claims the bounty. You can visit your bounty board to reward.

Copy link

algora-pbc bot commented Nov 25, 2024

🎉🎈 @Neptune650 has been awarded $150! 🎈🎊

@Neptune650
Copy link
Contributor

@louis030195
image
It seems Signpath requires us to use the GitHub default runners... we could use that or use a different certification authority.

@louis030195 louis030195 reopened this Nov 26, 2024
@louis030195
Copy link
Collaborator Author

@Neptune650
Copy link
Contributor

https://github.com/mediar-ai/screenpipe/actions/runs/12038039741/job/33562801087

lets use different signing auth

@louis030195 Okay then, consider GlobalSign, according to my research it's one of the more affordable ones while also working with GitHub Actions, preferably an EV certificate. Let me know when it's ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants