When I am about to open the executable to install Twine 2.4.1, I get a Microsoft Defender pop up. What does this mean and what should I do?
(The warning is in Spanish, I translate it in case it isn’t understood )
"Microsoft Defender SmartScreen prevented an unknown app from starting. Running this application may pose a risk to the PC."
I scanned it with Virus Total and found nothing malicious. Although I don’t know if it will have any false positives.
Although not a PC user myself, I know MacOS blocks apps from running, giving warnings about “apps downloaded from unknown developpers.” And then you just have to ignore it and proceed*. Perhaps Windows do the same?
*EDIT: if you trust the source.
Twine is unsigned (basically, developers can pay Microsoft for a special key that identifies their apps, these “signed” apps are seen as more trustworthy), though that will probably change in the mid-term future, as making the app signed is something that has been a goal for a while. To install the app anyway, click “More information” or the equivalent for your language, and a button allowing you to install the app anyway will appear.
Of course, you should only install apps you trust. Signed apps are generally more trustworthy, but it’s not a silver bullet or anything, just because you don’t see a screen like that doesn’t mean an app is trustworthy.
As long as you’ve downloaded Twine from an official source, it should be safe to install.
Ah, lovely Windows SmartScreen. This uses an algorithm to decide if a download is “common” or not (i.e. lots of people have downloaded it with no problems). You can either consider this a valuable service, or a rip-off, since if you’re a company you can avoid this by buying what’s called an “EV (Extended Validation) code signing certificate” that can be used to sign the executable and shut SmartScreen up. But these are a) expensive and b) not available to individuals.
So all the message really means is that the author couldn’t obtain or couldn’t afford a code signing certificate, and the application has not been downloaded frequently enough for SmartScreen to conclude that it’s definitely safe. It doesn’t mean SmartScreen knows the application is malicious.
Personally, I just have SmartScreen turned off, and am careful about where I download executables from.
This is something I want to fix about Twine in coordination with IFTF. However, I have no experience with signing apps on Windows so if anyone reading this would like to help out with this, please contact me.
The Electron site has an overview: Code Signing | Electron
I haven’t looked at the Windows side of that, though.
Thank you so much ! I’ll keep that in mind.
Also, I downloaded the installer from the official Twine website (linked by Github), I just found the blocking weird…
Thank you! Yes, I’m also careful about downloading some executables, it surprised me that SmartScreen has to block a validated application and I got it from the official website (linked by Github).
That will be necessary , so SmartScreen will not have to pass any more, and that doesn’t recognise it have a ““malicious file””.
Honestly, I don’t know much about coding but that’s something the Twine developers will have to look at, to see if they will have to patch it again or not.
I checked the page and it does apply to Windows, I think it will be a help for @klembot