Lazarus
Installation => Windows (32/64) => Topic started by: systems on May 21, 2022, 08:13:17 am
-
Hi
When I tried to install lazarus on windows 10, i got this warning (attached)
Windows protected your PC
Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
App:
lazarus-2.2.2-fpc-3.2.2-win64.exe
Publisher:
Unknown publisher
I think this can be fixed, if the install file is properly signed, I made an issue/ticket on gitlab, hope it gets their attention
anyway, how serious is this issue
-
I think this can be fixed, if the install file is properly signed, I made an issue/ticket on gitlab, hope it gets their attention
The problem is that code signing certificates cost money and need to be renewed regularly.
anyway, how serious is this issue
From a technical point of view: as long as you downloaded it from one of the official sources (the servers we advertise or SourceForge), not at all. Just continue with the installation.
-
We do publish checksums on our webpage.
https://www.lazarus-ide.org/index.php?page=checksums
https://www.lazarus-ide.org/index.php?page=checksums#2_2_2
So after the download you can verify that your copy was not modified. (most OS supply tools to compute the checksum. For Windows you can use power-shell or download "fciv.exe" directly from Microsoft for free).
A signature does nothing but tell you that the file has not been modified since it was signed.
If we would sign, then you would still need to check that the signature is ours (someone else could have a similar name for their signature).
So using the checksum gives you the same information.
For the Windows builds, you can also check (for each checksum)
https://www.virustotal.com/gui/file/3aecce3f12f9c1824dcb149142abfbaee4e162a2624e62cb0ecd9b7c2142b7e3
-
Thanks all,
I checked the checksum, and its good, it matches
I still think making this warning go away, is not a bad idea, I think many complete beginners, might be stopped by it
since you have to click view more information link, and only then you get the proceed anyway button, which still looks scary ;)
-
I still think making this warning go away, is not a bad idea, I think many complete beginners, might be stopped by it
What is a complete beginner doing using Windows?
MarkMLl
-
Well, I agree with the general statement "would be nice to have". And maybe also that some people who don't know the project would find it easier to trust the download. (Though to be honest, if I don't know who is behind the name on the certificate, I don't trust it any more as I would if it wasn't there)...
But the problem remains, it takes time and money. In this case the bigger issue actually is time. Someone needs to spend the time. I don't have it. Not sure if any one "eligible to do the task" has time (and interest for that matter).
"eligible" because I guess it should be someone known to (and trusted by) the project.
But well, if enough lobbying is done, maybe someone ...
-
Well, on the bugtracker, i was asked to unlock the file from the windows file properties
and it kinda works, I no longer get the warning, but its not really a solution
But now I see a second issue, the installer starts working without asking for an admin accounts
and raise a warning/error, when it tries to write DLLs, in C:\Windows\System32
I think this also need a fix, the installer need to ask for an admin privilege as soon as it starts
-
As for the DLL issue, I installed Lazarus 2.2.2 on a brand new Windows 11 VM and had no issues. Perhaps you already had copies of those DLLs and no overwrite access?
-
You probably had admin privileges, this is my work computer, so my normal user dont have admin privileges
most personal users wont notice this
-
Ah yes, being the only user on the Win11 system might explain it.
I'd be wary of using any of the supplied, or even the system, SSL DLLs anyway. The latest OpenSSL stable version is the 3.0 series which is supported until 7th September 2026. This is also a Long Term Support (LTS) version. The previous LTS version 1.1.1 is on life support until 11th September 2023 (at which point all support ceases) as OpenSSL moves to version 3 (now at 3.02) which has even more significant ABI changes. All older OpenSSL versions (including 1.1.0, 1.0.2, 1.0.0, 0.9.8 and 0.9.7) are now out of support, contain multiple security vulnerabilities and should not be used.
-
Good thing i was cautious and didnt install anything
what would be the most reliable and secure way to get the openssl libraries on windows ?
i googled, and there doesnt seem to be any reliable binaries source/ installer for openssl on windows
-
For my recent work updating the lNet library (https://github.com/trevoz/lnet), I downloaded modern 32 and 64 bit Windows versions from: https://slproweb.com/products/Win32OpenSSL.html
-
But now I see a second issue, the installer starts working without asking for an admin accounts
and raise a warning/error, when it tries to write DLLs, in C:\Windows\System32
I think this also need a fix, the installer need to ask for an admin privilege as soon as it starts
Simply uncheck "Globally Install openssl libraries" in "Select Components" step in Lazarus Setup.
-
But now I see a second issue, the installer starts working without asking for an admin accounts
and raise a warning/error, when it tries to write DLLs, in C:\Windows\System32
I think this also need a fix, the installer need to ask for an admin privilege as soon as it starts
Simply uncheck "Globally Install openssl libraries" in "Select Components" step in Lazarus Setup.
If you know what "Globally Install" actually means the solution is obvious. And. apparently users do not connect the dots when it doesn't work. Perhaps the installer needs to say "Install OpenSSL libraries in the Windows directory (requires administrator permissions)". The description matches the actions performed and tells you exactly what you need.
-
Perhaps it needs.
However apparently users ask here, when something doesn't work. And then they have choice according to answers: make it work as is, or wait when it will be corrected.
-
some installers are more advanced, and check if the user installing is admin or not
if the user is not admin, the installer will install everything locally
if the user is admin, the installer will ask if he want to install only for this one admin user, or for all users (i usually see it asked like this for just you or all users)
also, i think we need to have more info on the dlls installed, like version number
and does anyone know which version of openssl is being installed, 1.1.1 or 3.0.3 ?
-
Perhaps it needs.
However apparently users ask here, when something doesn't work. And then they have choice according to answers: make it work as is, or wait when it will be corrected.
I have forgotten the best one: correct it by himself and help or join Lazarus team ;)
-
and does anyone know which version of openssl is being installed, 1.1.1 or 3.0.3 ?
1.0.2
-
and does anyone know which version of openssl is being installed, 1.1.1 or 3.0.3 ?
1.0.2
That's not good! OpenSSL 1.0.2 (LTS) January 22, 2015 (release date) December 31, 2019 (end of life).
-
and does anyone know which version of openssl is being installed, 1.1.1 or 3.0.3 ?
1.0.2
May I ask, how did you know, where is that documented, I googled it a bit, but could not find it
-
I checked the DDL info on Win11 - see image - it looks like 1.0.2
-
You can also get some more information with some program for reading resources, e.g. with windres provided with FPC:
-
Hopefully it will be updated to openssl 1.1.1o soon. Won't fix the OP's original problem though.
-
On debian, type openssl version
I get 1.1.1d
Under cygwin64/win64
I get 1.1.1f
-
Hopefully it will be updated to openssl 1.1.1o soon. Won't fix the OP's original problem though.
Well, if version 1.1.1 doesnt have any known issue or vulnerabilities, this would be a good enough solution
i think they should consider moving to version 3.0.3 or even to libressl though
-
i think they should consider moving to version 3.0.3 or even to libressl though
LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily earlier releases of LibreSSL.
-
Openssl is updated to 1.1.1o in main. Please test.
The next logical step is the 3.x series, but we need more testing.
-
If you know what "Globally Install" actually means the solution is obvious. And. apparently users do not connect the dots when it doesn't work. Perhaps the installer needs to say "Install OpenSSL libraries in the Windows directory (requires administrator permissions)". The description matches the actions performed and tells you exactly what you need.
So it would not be overlooked, I submitted an enhancement request to this effect. See PR: https://gitlab.com/freepascal.org/lazarus/lazarus/-/issues/39766
-
3 series is an architectual rewrite, so probably needs work. 1.1.1 is under active maintenance.
You can still run into trouble if you have not been paying attention, because many protocols have been removed from 1.1.1
- ssl2/3/tls1.0
- some key exchanges
Only use tls1.1, tls 1.2 or higher. There is no ssl in openssl, only tls.... :o %) :-X
Many people still have code that uses hardcoded ssl and that is wrong:
The handshake should be made latest first so starting with the strongest.
-
Openssl is updated to 1.1.1o in main. Please test.
The next logical step is the 3.x series, but we need more testing.
How can we test, when will the install file be updated?
I can confirm that the file i download around 4 days ago lazarus-2.2.2-fpc-3.2.2-win64.exe, still installs version 1.0.2
-
@systems
How can we test, when will the install file be updated?
I can confirm that the file i download around 4 days ago lazarus-2.2.2-fpc-3.2.2-win64.exe, still installs version 1.0.2
The installer will be only updated on the next major release. You can still test the binaries with Lazarus main/trunk. OPM will download the dlls when needed.
-
Why do these DLLs need to be installed globally?
-
@marcov
Why do these DLLs need to be installed globally?
No need for global install, at least not for OPM. It's just an option/possibility, in my opinion we should uncheck it by default.
-
@marcov
Why do these DLLs need to be installed globally?
No need for global install, at least not for OPM. It's just an option/possibility, in my opinion we should uncheck it by default.
Considering that I uncheck them each and every time I install Lazarus I'd welcome this...
-
@marcov
Why do these DLLs need to be installed globally?
No need for global install, at least not for OPM. It's just an option/possibility, in my opinion we should uncheck it by default.
Considering that I uncheck them each and every time I install Lazarus I'd welcome this...
And given that I already have a system-wide install, I delete the DLL files when the installer is done.
-
@systems
How can we test, when will the install file be updated?
I can confirm that the file i download around 4 days ago lazarus-2.2.2-fpc-3.2.2-win64.exe, still installs version 1.0.2
The installer will be only updated on the next major release. You can still test the binaries with Lazarus main/trunk. OPM will download the dlls when needed.
How do i test or trigger this, do i remove the old DLLs and install any package in OPM ?
-
The installer will be only updated on the next major release. You can still test the binaries with Lazarus main/trunk. OPM will download the dlls when needed.
How do i test or trigger this, do i remove the old DLLs and install any package in OPM ?
Afaik, OPM in the released version will also stick do downloading the old dll.
https://gitlab.com/freepascal.org/lazarus/lazarus/-/commit/4460f173ca442eb8a1473d73461007dd3bd9ab8a
I have no idea, if the current release will be able to recognize, load and use the newer dll.
But the above commit has changes in how it deals with ssl....
-
I have no idea, if the current release will be able to recognize, load and use the newer dll.
But the above commit has changes in how it deals with ssl....
No problem with fpc 3.2.0 and openssl 1.1.1 latest, at least on Windows and Debian derivatives on different architectures.