Newbie here. When I try to do the Windows install of syncthing-1.27.10-setup.exe, Windows Defender (Smart Screen) flags it as unrecognized and refuses to execute. Windows Explorer Properties does not even show the Digital Signatures Tab. So I ran the Microsoft “Sigcheck” utility, and it says “Unsigned, Publisher n/a”. That’s a lot of red flags.
I found only 1 thread in this forum that is remotely relevant, and it only talks about Microsoft Defender waiting until something has been seen a number of times before trusting it. Syncthing looks like it’s made by some super geeks, so I’m curious why they can’t handle simple Microsoft security. I’ve got a handful of obscure utilities written by one-man shops that don’t have this problem. So what gives?
Please check https://forum.syncthing.net/t/virus-alerts/22634. If you are still worried about the installer, you can always download and use the barebones syncthing.exe
binary, which is signed and doesn’t trigger the Defender.
4 Likes
To clarify: The installer/setup for Windows is technically made by a third-party (@billstewart) and not by the syncthing project itself. As such, it isn’t signed by the syncthing foundation which makes it more prone to Defender-issues compared to a signed binary (the Defender likes signed binaries much more). Also, the installer technology used seems to make some AV vendors trigger-happy.
Syncthing itself doesn’t have an installer (just an executable for Windows), and you don’t technically need the setup, but the setup is way more comfortable for the average user (i.e. it takes care of autostart and such), which is probably why syncthing.net links to it from the front page.
The official syncthing binary is properly code-signed, though I don’t blame @billstewart for not code-signing their installer: Those certs cost like $500/year and I wouldn’t want to pay for that out of my pocket (especially not considering that these certs are like 50% security theatre).
5 Likes
@Nummer378 is correct.
I released Syncthing Windows Setup as an assistance to the community. It uses Inno Setup which is a free tool for creating installer packages for Windows that’s been around for more than 25 years now. Because it’s out there and free, it does get abused by malware writers, which causes false-positives in some anti-malware software. I’m not going to buy a digital certificate because it doesn’t add any value to the installer package other than reduce the occurrence of a few false-positives for a few anti-malware packages.
Please keep in mind that these packages are out on the Internet for you to download and use for free. Comments such as “Syncthing looks like it’s made by some super geeks, so I’m curious why they can’t handle simple Microsoft security” aren’t helpful. (No good deed goes unpunished, I guess.)
9 Likes