Unsigned software

[zim55533]

Are there any plans of signing the executables you provide on your downloads page? Or at least to provide file hashes to verify you've downloaded untampered, official software?

[fallout9]

We will definitely inform the developer about it.

[zim55533]

Great, thanks!

[zim55533]

We will definitely inform the developer about it.

I just wanted to add that vkbdevcfg-c.exe & zbootloader2.exe gets caught up in Windows Defender SmartScreen. I submitted false positive reports for the current versions of both of them, but this is what the analyst at Microsoft said that you might want to forward as well:

The warning you experienced indicates that the application had not established reputation with the Microsoft Defender SmartScreen Application Reputation feature at that time. We can confirm that the application vkbdevcfg-c.exe(sha256 –38a78d8bd4999649ae87e175ad1e429cce9239780dec897bf7f86d6aa02d4272) has since established reputation and attempting to download or run the application should no longer show any warnings.
Please note, however, that the submitted files are not signed using a valid digital certificate. Unsigned files will have to establish reputation each time a new version is released.
Application Reputation warnings are meant to indicate when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown.” Users can still proceed to download and run the application. If establishing reputation immediately is critical, you may want to consider investing in an EV Authenticode certificate.
A valid EV Authenticode certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists. In order to be considered a valid EV certificate, the certificate must be issued by a Certificate Authority that is authorized by the Microsoft Trusted Root Certificate Program and recognized as an Extended Validation issuer.

Thank you for contacting Microsoft.

And then the same message but for zbootloader2.exe(sha256 –adecff4aeefe7f0f988d95082c730a4213bb34e39b96f079c161321c214aba92).

[sunsanvil]

I know this is a super old thread, but I just wanted to say that it really really would be good if your dev would get your application signed allready. It just doesn't sit well when a company like VBK doesn't take that step. The cost (well under $1k/year if I understand correctly) is surely not a meaningful expense for a company your size.

It is of course good that a file hash is provided, but I believe you should be posting that hash on your website (rather than in a text file bundled with the executable itself).

[Alex Oz]

About 50 versions of the configurator are released per year. This means that the signed version will always be the most outdated.