Security problem

Hi, I’m new here and I am in the process of downloading Audacity 2.1.2 full installer for the first time -
My operating system is Windows 7 home premium 64 bit and my browser is Firefox 52.0 32 bit. My problem is that when I try to run the installer, I get a security warning that “The publisher could not be verified” and “this file does not have a valid digital signature that verifies its publisher”. I don’t usually like ignoring safety warnings because there’s a reason that they’re there. Can anyone tell me why I’m getting this message? My virus protection won’t scan it - how can I be sure that the downloaded file is safe to run? Is there any possibility that someone has hacked some malware into your download file?

My virus protection won’t scan it

Any idea why that is? It’s an executable “EXE” file. I would assume virus protection software would go after that like a hungry dog.

Do you have Windows showing you filename extensions? That would be my first step to guard against oddly-named software.

MyFluffySoftware.txt is what it shows you, but it’s really MyFluffySoftware.txt.exe and it’s a Windows EXE installer for an evil software package and Windows is helpfully hiding the “.exe” extension “to help you.”

If you use the ZIP download instead of the EXE file, that may work around the registration problem.

… smaller download (without help files), also useful if you cannot run the installer because of restricted permissions…

http://www.audacityteam.org/download/windows/

Koz

If you do a checksum that will tell you if you have the real McCoy …
http://www.audacityteam.org/download/online-safety-when-downloading/#validate

Microsoft (and Apple) have schemes for “digitally signing” software. Software developers may buy a digital certificate with which they can add cryptographic keys to their software that uniquely associate the software with their certificate (hence with the developer’s credit card or bank account).
These digital certificates vary in price, from “self signed” certificates, which are free, to “Enhanced Validation” certificates that cost hundreds of dollars.

Up until, and including Audacity 2.1.2, Audacity releases have either not been digitally signed, or have been signed with “self signed” certificates. However, with ever growing concerns about security, both Microsoft and Apple are becoming more forceful about developers using more costly certificates.

Note that even without digital signing, the validity of a downloaded file may be confirmed, as described by Trebor. from a published “checksum”. I would recommend reading this page in full: http://www.audacityteam.org/download/online-safety-when-downloading/

When Audacity 2.1.3 is released (very soon), it will be digitally signed for both Windows and Mac. However, there may still be some mild warnings from Windows / Mac because we are not using one of the very expensive “Enhanced Validation” certificates.

Note also that even the most expensive certificate does not guarantee that software is free of malware. It just guarantees that the software you download has not been tampered with (which is also proved by checking the checksum).