Sign Windows binary with digital signature

[IzStriker]

I used to use WakaTime at work to track my programming time, however, the CLI tool kept getting flagged by security because it isn't signed. I would like to keep using the WakaTime service is it possible to sign the your CLI tool?

[gandarez]

What OS are you using? Would you share the report you got?

[alanhamlett]

Must be Windows.

Automatic Code-signing on Windows using GitHub Actions

[IzStriker]

Hi, yes it's Windows 11. I'll get you the full details when I'm at work tomorrow.

[IzStriker]

Hi,
the exact reports I got from security were

hope you're well. We received an alert this morning that an unsigned software communicating externally to an api for a program called Wakatime. Is this regular behaviour for your device?

I'd expect that there may be other tools that could track this type of performance with the dev team, might be worth finding out if there is such a tool being used as our stance on unsigned Github software may change in the future.

Hi we have had an alert from your machine that "wakatime-cli-windows-amd64.exe" has been making connections to api.wakatime.com any idea what this is.  Many Thanks

[IzStriker]

Hi, is there a verdict on this request, are you willing you support this feature?

[alanhamlett]

Yes, we're working on getting a cert for signing Windows builds.

[smladenoff]

Hi all,
I'd like to contribute to this issue as well.
I'm on Win10 and AVG blocks wakatime-cli-windows-amd64.exe from running (stating "IDP.ARES.Generic") though does not detect when scanned, but here's the report from VT: https://www.virustotal.com/gui/file/f2d3bd662aaaa79abd5939cd5b20f0bfe982a6c97582762bc8e9de3d6d867bac
(For the record, my other scanners: Immunet does not detect, nor does SpybotS&D, nor does Malwarebytes. EDIT: clarification)

I'm curious as to why some providers consider the file malicious. Any comments from the devs?

[AlfredSimpson]

Adding update here - Previous comment states MalwareBytes does not detect this, however one machine I manage uses MalwareBytes and saw this flagged for the first time beginning 5 hours ago and again in the last 15 minutes.

I can confirm that it was wakatime-cli-windows-amd64.exe and the backup which were flagged. The device running it was operating W11 Pro. The timing coincides with this change by @alanhamlett .

[alanhamlett]

Probably not related to that change, but the fact that 1 hr ago we did a release so the binary signature changed. Usually once the AV programs all see the new binary signature and start trusting it the false positives go away, but the first day of a release it's more likely to get flagged.

[AlfredSimpson]

That tracks - thanks for the update and great product! I cited that change as the timing matched with the first alert. Likely the second matched as well for the same reason.