Nostr Web Client

Does anyone know if it's even possible to build an executable for Windows using e.g. Rust (though this might apply to other langs), without buying a signing certificate, and have it runnable by users without false positive virus/trojan warnings (which, actually, make it effectively impossible for users to run).

I did a lot of searching and found a huge number of developers reporting this problem, but actually no solutions. Is it just impossible to distribute binaries as an independent developer? Is it just isolated to Rust and maybe Go etc? Or ...? Anyone experienced this and found a way round it?

Jeroen Ubbink 1y ago

I don't think there are ways around it. I have a friend who still ships a Windows app and he had to go to loads of effort to to get a signing device.

I would urge you to stop developing for Windows. The signing does not stop bad actors as the verification process is done by some Indian call center that calls you on any number you provide and all you have to do is answer and say "yes that's me."

This should not be encouraged. People are making money off of you just because you comply and for the consumer it adds no safety.

Reply to this note

Please Login to reply.

Discussion

waxwing 1y ago

Agree in general. The problem for me is not that they have an app signing process ... even if it's bad. The problem is that removing users' rights to execute programs (as per Stallman's framing) is profoundly morally wrong.

calle 1y ago

macOS let's you jump through hoops to still execute whatever you want (they just want to stop most newbie users from doing it). I can't imagine windows doesn't have that option but I don't use it and have no experience.

waxwing 1y ago

Defender is installed by default and will quarantine a simple rust binary and often tell the user they have been infected with a trojan. I know that sounds ridiculous but i spent a lot of time looking into it.

The problem is they have no incentive to not false positive.

Braydon Fuller 1y ago

Even though GNU/Linux systems don't have these types of restrictions, it would be great to have better sandboxing between desktop apps for a given user. Despite the intentional malware, software exploits and RE bugs exist and would be nice to mitigate with limited scopes and etc. Does Qubes provide better isolation or are there better alternatives?