Microsoft Defender SmartScreen marks talosctl-windows-adm64.exe [1.91] ] as unsafe

[tonyhogsten]

Bug Report

Microsoft Defender SmartScreen marks talosctl-windows-adm64.exe [1.91] ] as unsafe

Description

I am unable to download the binary due to Microsoft Defender SmartScreen marks it as unsafe.

https://objects.githubusercontent.com/github-production-release-asset-2e65be/109451092/8c7183d6-d725-42d7-8c9f-4b8026661079?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250107%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250107T083421Z&X-Amz-Expires=300&X-Amz-Signature=6bd40842fc9956927bcb181d54f34d53e18b772dd8595d9ab8cdd38279d8c493&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dtalosctl-windows-amd64.exe&response-content-type=application%2Foctet-stream

Logs

Cannot keep it.

Environment

• Talos version: [talosctl version --nodes <problematic nodes>]
• Kubernetes version: [kubectl version --short]
• Platform:

[steverfrancis]

Can you expand the error so we can see what the full message is?
Then we can open a case with Microsoft.

[tonyhogsten]

@steverfrancis talosctl-windows-adm64.exe isn't commonly downloaded. Make sure you trust talosctl-windows-amd64.exe before you open it. And some companies, including mine, doesn't let me trust it myself, so it's impossible to download/run.

[smira]

Probably related to siderolabs/kres#450

[steverfrancis]

I've opened a case with microsoft to whitelist it. Will update when they respond.

[brantgurga]

@steverfrancis it's more about the executable not being signed. It can be downloaded, but it's buried and hard to find and you have to repeatedly dismiss SmartScreen dissuading you from downloading twice. See #9067

Same issue for omnictl in siderolabs/omni#492

@smira I don't think it's directly related to siderolabs/kres#450 but similar mechanism I used in my draft solution for that one are probably useful. @rothgar looked up a bit more on digitally signing in the comments of #9067. I haven't piloted digitally signing like I did filling in manifest properties, but from what I understand of your build system, the changes will be in kres too, but unlike the manifest properties it'd need access to a code signing certificate private key. That's a bit more challenging to mock up an implementation.

When it's not a commonly downloaded file, SmartScreen and other tools rely on the reputation of the sigining certificate. If there is no signature as is the current case, you get this behavior.

Additionally, if the Smart App Control feature of Windows is On, an unsigned executable is blocked from executing at all with the only option to turn off Smart App Control. Most developer machines aren't likely to turn on Smart App Control automatically I wouldn't think, but it can be manually enabled and once turned off, it can only be enabled from a clean OS install. For more on Smart App Control see https://support.microsoft.com/en-us/windows/smart-app-control-frequently-asked-questions-285ea03d-fa88-4d56-882e-6698afdb7003 where the basic answer is 'sign your app with a valid certificate'