Do not expose MSIX on our servers/builder page #95218

New Issue

Björn Eckhardt · 2022-01-26T11:42:45+01:00

Björn Eckhardt commented

2022-01-26 11:42:45 +01:00

The MSIX is not signed.
Once they hit the Windows Store, they will get signed though.
So the issue is really that we are exposing these on the builder download page [and the blender.org download page as well].
(reason for that being current automation).

note: even with signed MSI you MIGHT see a warning. This is because we don't have extended verification (EV) certificate, so until reasonable amount of people trust the build they'll see warning.

If users download and try to install these unsigned packages, they will report something like:

Original report: 3.0.1 not Trustworthy

I just downloaded the
Blender 3.0.1 - Stable
January 26, 03:46:40 - dc2d18018171 - msix - 250.27MB
x64 from blender.org

but I got a "not trustworthy" note. I thought you should know :-)

System Information
Operating system: Windows-10-10.0.19043-SP0 64 Bits
Graphics card: NVIDIA GeForce GTX 1080 Ti/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 496.49

The MSIX is not signed. Once they hit the Windows Store, they will get signed though. So the issue is really that we are exposing these on the builder download page [and the blender.org download page as well]. (reason for that being current automation). note: even with signed MSI you MIGHT see a warning. This is because we don't have extended verification (EV) certificate, so until reasonable amount of people trust the build they'll see warning. If users download and try to install these unsigned packages, they will report something like: **Original report: 3.0.1 not Trustworthy** I just downloaded the Blender 3.0.1 - Stable January 26, 03:46:40 - dc2d18018171 - msix - 250.27MB x64 from blender.org but I got a "not trustworthy" note. I thought you should know :-) ![BlenderUnsafe.JPG](https://archive.blender.org/developer/F12824997/BlenderUnsafe.JPG) **System Information** Operating system: Windows-10-10.0.19043-SP0 64 Bits Graphics card: NVIDIA GeForce GTX 1080 Ti/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 496.49

Björn Eckhardt commented

2022-01-26 11:42:45 +01:00

Added subscriber: @BjornEckhardt

Philipp Oeser commented

2022-01-26 11:46:47 +01:00

Added subscriber: @lichtwerk

Philipp Oeser commented

2022-01-26 11:46:47 +01:00

Thx noting, checking with others...

Philipp Oeser commented

2022-01-26 12:31:58 +01:00

Changed status from 'Needs Triage' to: 'Confirmed'

Philipp Oeser commented

2022-01-26 12:31:58 +01:00

The MSIX is indeed not signed.
Once they hit the Windows Store, they will get signed though.
So the issue is really that we are exposing this on the builder download page [and the blender.org download page as well].
(reason for that being current automation).

So will keep this task (thx reporting!) and make this a TODO aiming at not exposing MSIX on our servers/builder page.

The MSIX is indeed not signed. Once they hit the Windows Store, they will get signed though. So the issue is really that we are exposing this on the builder download page [and the blender.org download page as well]. (reason for that being current automation). So will keep this task (thx reporting!) and make this a TODO aiming at not exposing MSIX on our servers/builder page.

Philipp Oeser changed title from ~~3.0.1 not Trustworthy~~ to Do not expose MSIX and MSI on our servers/builder page

2022-01-26 12:35:11 +01:00

Philipp Oeser commented

2022-01-26 12:49:48 +01:00

Added subscribers: @Sergey, @brecht

Brecht Van Lommel commented

2022-01-26 13:28:34 +01:00

The MSI is signed, but this report was about MSIX which is indeed not signed and could be hidden.

Philipp Oeser changed title from ~~Do not expose MSIX and MSI on our servers/builder page~~ to Do not expose MSIX on our servers/builder page

2022-01-26 13:30:43 +01:00

Philipp Oeser commented

2022-01-26 13:31:45 +01:00

In #95218#1295274, @brecht wrote:
The MSI is signed, but this report was about MSIX which is indeed not signed and could be hidden.

Thx noting, changed task description now

> In #95218#1295274, @brecht wrote: > The MSI is signed, but this report was about MSIX which is indeed not signed and could be hidden. Thx noting, changed task description now

This repo is archived. You cannot comment on issues.